Home/ Questions/Q 667747
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T23:57:44+00:00

how string.format() can help to avoid using + in such statement: string statement =

  • 0

how string.format() can help to avoid using “+” in such statement:

 
string statement =" SELECT DISTINCT titel as linieName" +
                  " FROM qry_Forecast_Taktzeiten" +
                  " WHERE linieName LIKE 'lin%';";

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The statement above the + is used to concatenate seveal strings you created to make your code more readable. String.Format will not help you here!

    To avoid the string concatenation you could do the following:

    StringBuilder sb = new StringBuilder();
sb.Append(" SELECT DISTINCT titel as linieName");
sb.Append(" FROM qry_Forecast_Taktzeiten");
sb.Append(" WHERE linieName LIKE 'lin%';");
statement = sb.ToString();

    If you want to replace the ‘lin’ with some variable you have you can use:

    string statement =" SELECT DISTINCT titel as linieName" +
                  " FROM qry_Forecast_Taktzeiten" +
                  " WHERE linieName LIKE '{0}';";
statement = string.Format(staement, "lin%");

    or 

    sb.AppendFormat(" WHERE linieName LIKE '{0}';", "lin%");

    However, all of the methods above using string replacement ({0}) bear the risk of an SQL injection attack if the “lin%” is obtained from a user entry.

    So the best bet is to use:

    string statement =" SELECT DISTINCT titel as linieName" +
                      " FROM qry_Forecast_Taktzeiten" +
                      " WHERE linieName LIKE @match;";
SqlCommand cmd = new SqlCommand();
cmd.CommandText = statement;
cmd.Parameters.Add(new SqlParameter("@match", "lin%"));
    • 0