-2

I want to get the value of key with dynamic where clause in appSettings portion in web.config project (ASP.NET and C#) like this:

key="test" value="Select * from table where id=Textbox1.Text"

How can I achieve this?

Ali Soltani
  • 9,589
  • 5
  • 30
  • 55
helal
  • 1
  • 6

1 Answers1

0

You can do it like this:

// Get sql query and add where clause to it.
string sqlString = System.Configuration.ConfigurationManager.AppSettings["test"] + " where id=@id";


// Execute sqlString 
SqlConnection sqlConnection1 = new SqlConnection("Your Connection String");
SqlCommand cmd = new SqlCommand();

SqlParameter param  = new SqlParameter();
param.ParameterName = "@id";
param.Value = Textbox1.Text;
cmd.Parameters.Add(param);
SqlDataReader reader;

cmd.CommandText = sqlString;
cmd.CommandType = CommandType.Text;
cmd.Connection = sqlConnection1;

sqlConnection1.Open();

reader = cmd.ExecuteReader();
// Data is accessible through the DataReader object here.

sqlConnection1.Close();

Edit

C# for prevent SQL injection, stop executing commands that do this. You should use SqlParameter.

Ali Soltani
  • 9,589
  • 5
  • 30
  • 55
  • This is dodgy and open SQL injection attacks – Jeremy Thompson Aug 06 '17 at 03:17
  • Thanks for your answer.I am using the below code, but it is not showing anything: var sql1 = System.Configuration.ConfigurationManager.AppSettings["test"] + "where id= " + TextBox1.Text; string conString = ConfigurationManager.ConnectionStrings["ConnectionString1"].ConnectionString; using (SqlConnection con = new SqlConnection(conString)) { SqlCommand cmd2 = new SqlCommand(sql1, con); cmd2.CommandType = CommandType.Text; But without TextBox1.Text, it is showing data. is it correct ? – helal Aug 06 '17 at 04:53
  • @helal Please `upvote` and `accept` this answer if it helps you, so people know this is the correct answer and helps them. – Ali Soltani Aug 06 '17 at 05:19
  • @JeremyThompson Yes I know this may be dangerous, but he may have to do it in this way. – Ali Soltani Aug 06 '17 at 05:25
  • No he doesn't. Use parameterized queries if not Stored Procedures, don't give shit advice on here. – Jeremy Thompson Aug 06 '17 at 05:27
  • If I use with this query ” where id=TextBox1.Text” in code, how group by/order by will be used in Appsettings. Suppose, “select position, count(position) from table where id=TextBox1.Text group by position order by “… Please assist.. – helal Aug 06 '17 at 05:29
  • @helal you can add group by or order by in end of `sqlString` like `... where id= " + Textbox1.Text + " order by id "`. – Ali Soltani Aug 06 '17 at 05:33
  • This is so bad, even if the TextBox contains a quote the whole thing will fail. Please amend your answer. – Jeremy Thompson Aug 06 '17 at 05:45
  • Actually..i would like to do it in appsettings. Is it possible ? – helal Aug 06 '17 at 05:46
  • @helal Yes. It is possible but As Jeremy **Thompson said**, **SQL injection attack** might happen. – Ali Soltani Aug 06 '17 at 06:02
  • Yes..Jeremy Thompson is right. But it has been required for one query. can u please describes how it will be in appsetings? – helal Aug 06 '17 at 06:33
  • @ Ali Soltani..Thanks for updating. Actually all portions of query will be in Appsettings. Can please assist me to do it in appsettings...please help – helal Aug 06 '17 at 07:43
  • @helal What do you mean by all portions of query will be in `Appsettings`? – Ali Soltani Aug 06 '17 at 08:27
  • @helal Please upvote and accept this answer if it helps you, so people know this is the correct answer and helps them. – Ali Soltani Aug 27 '17 at 10:42