string queryStr = "select email, fullname, from t_employee where username = user_name ='" + username + "' and user_date between '" + startdate + "' and '" + enddate + "'";
To prevent from query injection we can change it by using stored procedures or
parameterised TSQL
string queryStr = "select email, fullname from t_employee where user_name = @USER and user_date between @startdate and @enddate'";
cmd.Parameters.Add("@USER", SqlDbType.NVarChar, 100); -- Assuming type and size
cmd.Parameters["@USER"].Value = username
cmd.Parameters.Add("@startdate ", SqlDbType.DateTime);
cmd.Parameters["@startdate "].Value = startdate ;
cmd.Parameters.Add("@enddate", SqlDbType.DateTime);
cmd.Parameters["@enddate"].Value = enddate;
No comments:
Post a Comment