How to Use Variable Data in C# SQL Query String
I have a project I'm working in, which I did not create. I am still
relatively new to C# and ASP.NET as a whole. I am faced with this SQL
query:
var sql = @"SELECT * FROM [database] WHERE [submitDate] >=
Convert(datetime,'20130301')";
This of course behaves exactly as expected. What I need to do, however, is
make the 2013 part of the Convert(datetime,'20130301') bit actually equal
to the current yet, so that we don't have to update this query every
single year.
Based on my limited experience I started by trying to concatenate in a C#
variable, not only did that not work, but after some research I learned
that method can be an opening for potential SQL Injections.
I read a bit about parameterizing the SQL Query, but everything I saw on
that led me to believe that I would have to rewrite/rethink how this data
is being pulled from the database in the first place.
Any advice on how to accomplish my goal?
No comments:
Post a Comment