Paramaterized Queries.

Parameterized queries prohibit the sql injection in your web application.

It allows you to safely write code like the following:

Let say, I have a SqlDataReader function to get the details of the particular ID:

public static SqlDataReader GetDetail(int id)

{

string sql = "select * from Raj_table where id = @id ";

SqlParameter paramUserId = new SqlParameter("id", SqlDbType.Int);

paramUserId.Value = id;

// I like to use the SqlHelper class

return SqlHelper.ExecuteReader(GetConnectionString(), CommandType.Text, sql, paramUserId);

}

Firstly, this parameter ensures that the paramater is an INT so a string value would throw an exception here. Also, if we were using a VARCHAR parameter, the SqlParameter value assignment automatically escapes the string for us.

If you run SQL Profiler and observe the queries, you'll notice that they are actually execute via a Stored Procedure (sp_executesql)

Happy Programming!!

Sending Email with ASP.NET

Email consists:

-From

-To

-CC

-BCC

-Subect

-Body

depend on these fields, below is the ASP.NET code to send the message:

First, add this namespace 'using System.Web.Mail' to your aspx.cs page.

then inside the button_click event, add this code:

MailMessage mail = new MailMessage();

mail.From = "someone@google.com";

mail.To = "somebody@google.com";

mail.Cc = "badgirl@google.com";

mail.Subject = "Just to say hi";

mail.Bcc = "badboy@google.com";

mail.Body = "Happy B'day to you!!";

//If you are using different mail server, please replace this one by your own...

SmtpMail.SmtpServer = "smtp.gmail.com";

SmtpMail.Send(mail);

Sending Attachments:

mail.From = "someone@google.com";

mail.To = "somebody@google.com";

mail.Cc = "badgirl@google.com";

mail.Subject = "Just to say hi";

mail.Bcc = "badboy@google.com";

mail.Body = "Happy B'day to you!!";

mail.BodyFormat = MailFormat.Text;

mail.Attachments.Add(new MailAttachment("c:\\temp\\test.pdf"));

SmtpMail.SmtpServer = "smtp.gmail.com";

SmtpMail.Send(mail);

Happy Coding!!!