Not a good idea. It can allow SQL Injection to get in. Better to add each parameter into a Parameter object.
FYI, you use StringBuilder when you concatenate strings over several statements.
string = "One"
string = string + " Two"
string = string + " Three"
If you just build up the string in one statement, you can use +
string = "One" + " Two" + " Three"
>Hi everybody,
>
>I am just wondering what is the best way to pass query string to SqlCommand.ExecuteQuery.
>
>I would have used @ to construct it, but @is used for parameter. So, do I constuct it as several parts concatenated with + or do I need to do it through StringBuilder?
>
>Thanks in advance.
Craig Berntson
MCSD, Microsoft .Net MVP, Grape City Community Influencer