String and Quotes in them

I have the following SELECT Statement.

dbcommand.CommandText = "SELECT * FROM tblUsers WHERE Username=" + uname;

However, in order for it to work properly I have to put quotes around the reseult of the pased uname variable.  How do I do this in C#.

So if uname was passed as Mike, the SELECT statment would need to be SELECT * FROM tblUsers WHERE Username="Mike"
I can not get the quotes around the name.

Thanks
sneeri_cAsked:
Who is Participating?
 
Éric MoreauSenior .Net ConsultantCommented:
Hi sneeri_c,

dbcommand.CommandText = "SELECT * FROM tblUsers WHERE Username= '" + uname + "'";


Cheers!
0
 
anarki_jimbelCommented:
Just to add to emoreau (that's completely right):

usually single quotes are used and the way is shown above. If you need double quotes on some a reason use escape chars:

"SELECT * FROM tblUsers WHERE Username=\"" + uname + "\"";
0
 
andrewjbCommented:
Of course, this is an invitation to a code injection attack. You should use a command with parameters instead.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.