Problem with SQL Command - WHERE clause

I'm开发者_运维问答 using this sqlcommand in my ASP.NET C# code behind that will output the code cart for the currently logged in user.

I get the ID of the logged in user and store it in a string variable and use it in my SQL command:

BasketPage.SelectCommand = "SELECT tblBasketDetails.BasketID, tblBasketDetails.BookID, tblBooks.Title, tblBasketDetails.Quantity, tblBasket.UserID, tblBasket.CreatedDate FROM tblBasket INNER JOIN tblBasketDetails ON tblBasket.BasketID = tblBasketDetails.BasketID INNER JOIN tblBooks ON tblBasketDetails.BookID = tblBooks.BookID WHERE (tblBasket.UserID = " + CurrentUser + ")";

However I'm receiving an error of "Incorrect syntax near 'd'."

The query is produced using the query building in Visual Studio 2010, i dont know if this is causing the issue?

You need to replace a single apostrophe with a double in your parameter. Also, use parameters otherwise you open yourself to SQL injection attacks.

(tblBasket.UserID = '" + replace(CurrentUser, "'", "''")+ "')

This assumes CurrentUser is a string value.

Your statement is wrong on so many levels..... read an intro book.

Lets see:

WHERE (tblBasket.UserID = " + CurrentUser + ")";

Ok: First, read up "SQL injectioon attack "on Wikipedia. You just made one. Every idiot can hack your database by entering a smart user name, it seems. Gratulations. Use parameters.

If that is for a commercial customer site, and the customer sues you, know that "gross neglect" (as in: I have no clue what I actually do) is not a valid legal defense. SQL injection attacks are basic knowledge these days.

Second, IF you insist on putting your string together, note that if the user would be dump, then the statement would read > UserID = dumbo > which would not be valid SQL. In Valid SQL you need to put a string (dumbo) in some delimiters (like: 'dumbo').

The query is produced using the query building in Visual Studio 2010, i dont know if this is causing the issue?

Yes, it is. Using toold without knowing how the underlying technology works is ratrely a good thing to do.

Why aren't you using this instead? http://www.aspnet101.com/2007/03/parameterized-queries-in-asp-net/