How to use an integer variable in sqlserver query?

Question

I have a problem with my sql query. I have a database in sqlserver.

int number = int.Parse(textbox.Text);
var sqlconn = new SqlConnection(@"Server=(localdb)\MSSQLLocalDB; AttachDbFileName=|DataDirectory|db.mdf;");
sqlconn.Open();
var sqlcomm = new SqlCommand("SELECT * FROM table WHERE title = number", sqlconn);

what is the correct syntax for this: title = number?

Answer 1

I suggest using parameters to avoide SQL Injection .

Could look like this.

using (SqlCommand command = new SqlCommand("SELECT * FROM table WHERE title = @Number", connection))
{
    command.Parameters.Add(new SqlParameter("@Number", int.Parse(textbox.Text)));

    //read data
}

Answer 2

you can add the integer inline by doing the following

var sqlcomm = new SqlCommand("SELECT * FROM table WHERE title = " + number.ToString(), sqlconn);

or you can add it as a parameter like the following:

var sqlcomm = new SqlCommand("SELECT * FROM table WHERE title = @num", sqlconn);
sqlcomm.Parameters.AddWithValue("@num", number);

Answer 3

This is a very basic question which you could have easily solved by just google-ing it.

Anyways, you want to use parameterized SQL command here.

var sqlcomm = new SqlCommand("SELECT * FROM table WHERE title = @number", sqlconn);
SqlParameter param = new SqlParameter();
param.ParameterName = "@number";
param.Value = int.Parse(textbox.Text);
sqlcomm.Parameters.Add(param);