none
C# String Format Paramters RRS feed

  • Question

  • Hello All,

    I am having one query with the below String Format Statement.

    string sql = String.Format("<REMOVED>", System.Convert.ToInt32(Session["IDUser"]));

    when I use this string format for sql string.

    I get sql ="<REMOVED>"  as sql Query. can you please tell me what "<REMOVED>" stands for?


    Thanks,
    Sandeep Jain.

    Thursday, October 30, 2008 1:46 PM

All replies

  • Based on your code,  you're getting the results that you should. If you're trying to build a SQL query using this method (which is bad because it might open you up for SQL injection), you'll need to do something like this:



    string 
    sql = String.Format("SELECT * from [Users] Where [userId]='{0}'", System.Convert.ToInt32(Session["IDUser"])); 


    A more secure method to using dynamically building the SQL would be to use a parameterized store procedure.

    Hope this helps!
    Thursday, October 30, 2008 1:59 PM
  • Sandeep,

    What exactly are you trying to do?  It's your format string that says "<REMOVED>", so it's hard to know what it stands for without being given some context. 

    I do know that without numbered parameters in your string, the second parameter to string.format is useless here.
    David Morton - http://blog.davemorton.net/
    Thursday, October 30, 2008 2:39 PM
    Moderator
  • Hi,
    I explain what i do exactly.

           string sql = String.Format("<REMOVED>", System.Convert.ToInt32(Session["IDUser"]));

           SqlConnection conn = GetSqlConnection();

           SqlDataAdapter adapter = new SqlDataAdapter(sql, conn);

           DataTable friends = new DataTable();

           adapter.Fill(friends);

           conn.Close();

    when I use this string format for sql string.

    I get sql ="<REMOVED>"  as sql Query. can you please tell me what "<REMOVED>" stands for?


    Thanks,
    Sandeep Jain.

    Thursday, October 30, 2008 6:31 PM