C# syntax ' “ + stringName + ” '

Question

What does ' " + stringName + " ' mean in c# ? I thought in programming if you enclose something withing quotes it will be treated as string.Some detail would be appreciated as i have just started learning c#

Code :

string sql_insertQuery = "INSERT into UserData(username,password,country) VALUES ('"+Usn.Text+"','lpxt','l.Text')";

Usn is the Id of a textbox, I am just testing right now but i know inputting information like this is not recommended because of SQL Injection

Edit : I understand the answers provided below about concatenation but why do i get error if i use

string sql_insertQuery = "INSERT into UserData(username,password,country) VALUES ("+Usn.Text+",'lpxt','l.Text')";

double quotes only

and why does using single quotes pass +Usn.Text+ as the input string

 string sql_insertQuery = "INSERT into UserData(username,password,country) VALUES ('+Usn.Text+','lpxt','l.Text')";

Answer 1

In this case the text inside the "Usn"-Control will be included into your SQL-query. Yet the String within the query will be surrounded by ''.

Like in this example:

    string stringVariable = "myString";
    Console.WriteLine("'" + stringVariable + "'");

Here the output will be:

'myString'

Notice how the output is surrounded by the single quotes.

Answer 2

Usn.Text is enclosed within one single quote and one double quote(double quotes within single quotes)

No.

This value is enclosed only single quotes since your username column is character typed.

But double quotes are for string concatenation for this these 3 strings;

"INSERT into UserData(username,password,country) VALUES ('"
Usn.Text
"','lpxt','l.Text')"

As you said, you should always use parameterized queries . This kind of string concatenations are open for SQL Injection attacks.

Edit : I understand the answers provided below about concatenation but why do i get error if i use

You didn't even tell us what error you get but I assume you try to insert your username character typed column, you have to use single quotes with it. Of course, if you use prepared statements , you can skip those quotes.

and why does using single quotes pass +Usn.Text+ as the input string

Because when you write VALUES ('+Usn.Text+','lpxt','l.Text')" , you insert your +Usn.Text+ as a string literal , It will not insert it's Text value, it will insert +Usn.Text+ as a string.

For example, if Usn.Text = "foo"; you will not insert that foo string, you will insert +Usn.Text+ in such a case.

Answer 3

The plus operator is used for string concatenation .
More can be read at the documentation/guide.
Excerpt from https://msdn.microsoft.com/en-us/library/ms228504.aspx :

Concatenation is the process of appending one string to the end of another string. When you concatenate string literals or string constants by using the + operator , t he compiler creates a single string. No run time concatenation occurs. However, string variables can be concatenated only at run time. In this case, you should understand the performance implications of the various approaches.

EDIT (since the question has been edited):
Since the double qotes and the + are in qotes, they won't be processed by the compiler and therefore be handled as strings. so you would literally add " + stringName + " to the database

A good explanation of single and double qotes can be found here:
https://stackoverflow.com/a/602035/3948598

Single quotes encode a single character (data type char), while double quotes encode a string of multiple characters. The difference is similar to the difference between a single integer and an array of integers.