Nested If statement with Conditional “and” in SQL

Question

I have this line of code

string sqlQuery = "SELECT studentid,StudentName,age,contact FROM tblStudent2 ";

if (txtStudentName.Text != "" && txtStudentId.Text != "" && txtAge.Text != "" && txtContact.Text != "")
{
    sqlQuery += " Where ";

    if (txtStudentName.Text != "")
    {
        sqlQuery += "studentId = '" + txtStudentName.Text + "'";
    }
    sqlQuery += " and ";

    if (txtStudentId.Text != "")
    {
        sqlQuery += "studentId = '" + txtStudentId.Text + "'";
    }
    sqlQuery += " and ";

    if (txtAge.Text != "")
    {
        sqlQuery += "age ='" + txtAge.Text + "'";
    }

    sqlQuery += " and ";

    if (txtContact.Text != "")
    {
        sqlQuery += " FROM tblStudent2 Where contact ='" + txtContact.Text + "'";
    }
}

My question goal is to select from the table ( tblStudent2 ). With this SQL statement

"SELECT studentid,StudentName,age,contact FROM tblStudent2 " + "and (TableColumns) and (TableColumns)""

But the goal is to add the "and" in between the nested IF parameters, if i were to add it into the if statement the resulting sqlQuery will result with an "and" as the last word of the sentence if i append the "and" word.

Answer 1

I would suggest writing this logic without the boolean:

string sqlQuery = "SELECT studentid,StudentName,age,contact FROM tblStudent2";
string sqlWhere = ""
if (txtStudentName.Text != "")
    {
        sqlWhere += "StudentName = '" + txtStudentName.Text + "' and ";
    }
if (txtStudentId.Text != "")
    {
        sqlWhere += "studentId = '" + txtStudentId.Text + "' and ";
    }
if (txtAge.Text != "")
    {
        sqlWhere += "age ='" + txtAge.Text + "' and ";
    }
if (txtContact.Text != "")
    {
        sqlWhere += "contact ='" + txtContact.Text + "' and ";
    }
if (sqlWhere != "") {
    sqlQuery += " WHERE " + sqlWhere.Substring(0, myString.Length-5);
}

That said, your code has a MAJOR problem. You are munging the query string with user-input values -- both due to SQL injection and due to unexpected (and hard to debug) syntax errors. This is very dangerous. You should be parameterizing the query, so it looks more like:

if (txtStudentName.Text != "")
    {
        sqlWhere += "StudentName = @StudentName and "
    }

(and so on).

Then pass the parameters into the query when you execute it.

Answer 2

It's better to append 'AND' at the end of each statement placed in if condition and remove the last one like below:

string sqlQuery = "SELECT studentid,StudentName,age,contact FROM tblStudent2";
bool flag = false;
if (txtStudentName.Text != "")
    {
        sqlQuery += "StudentName = '" + txtStudentName.Text + "' and ";
        flag = true;
    }
if (txtStudentId.Text != "")
    {
        sqlQuery += "studentId = '" + txtStudentId.Text + "' and ";
        flag = true;
    }
if (txtAge.Text != "")
    {
        sqlQuery += "age ='" + txtAge.Text + "' and ";
        flag  = true;
    }
if (txtContact.Text != "")
    {
        sqlQuery += "contact ='" + txtContact.Text + "' and ";
        flag = true;
    }
if (flag == true){
    sqlQuery += " WHERE " + sqlQuery.Substring(0, myString.Length-5);
}