Passing bool to a SQL statement

  • Thread starter Thread starter Zatdam
  • Start date Start date
Z

Zatdam

Hi

I am relativly new to VS & C# so excuse me for this question

I am trying to pass a bool variable into a SQL statement but can't seem to
find the right syntax. I know to pass a string you use '"+strVar+"' but can't
seem to figure out bool.

(select * from tablet where active=chkActive.checkstate)
chkActive is on my windows form

Can someone point me in the right direction?

Many thanks for your help
 
I am relativly new to VS & C# so excuse me for this question

I am trying to pass a bool variable into a SQL statement but can't seem to
find the right syntax. I know to pass a string you use '"+strVar+"' but
can't
seem to figure out bool.

(select * from tablet where active=chkActive.checkstate)
chkActive is on my windows form

Can someone point me in the right direction?
Click to expand...

The real "right direction" would be to point you to documentation about "SQL
injection" and the use of "SqlCommand objects" instead of the dynamic string
building you're currently performing. I HIGHLY recommend you look into those
subjects. It'll show you how dangerous '" + strVar + "' is....

However, for the short term you can do something like this:

sql = "SELECT * FROM [SomeTable] WHERE SomeFlag = " + (chkActive.Checked ?
"1" : "0");
 
Jeff Johnson said:
The real "right direction" would be to point you to documentation about
"SQL injection" and the use of "SqlCommand objects" instead of the dynamic
string building you're currently performing. I HIGHLY recommend you look
into those subjects. It'll show you how dangerous '" + strVar + "' is....
Click to expand...

Definitely a good point. On the other hand, only insertion of user-provided
strings is a problem, concatenating bool or numeric variables will never
cause special characters to be inserted and so is safe.
 
Thanks guys. that worked a treat and will follow your advise and research
those subjects.
 
Back
Top