>Not a good idea. It can allow SQL Injection to get in. Better to add each parameter into a Parameter object.
>
>FYI, you use StringBuilder when you concatenate strings over several statements.
>string = "One"
>string = string + " Two"
>string = string + " Three"
>
>If you just build up the string in one statement, you can use +
>string = "One" + " Two" + " Three"
>
>>Hi everybody,
>>
>>I am just wondering what is the best way to pass query string to SqlCommand.ExecuteQuery.
>>
>>I would have used @ to construct it, but @is used for parameter. So, do I constuct it as several parts concatenated with + or do I need to do it through StringBuilder?
>>
>>Thanks in advance.

I do add parameters through Parameter statement, but the parameter uses @ in its name, e.g.

select top (1) devicetype from dbo.pmt_type where @CardNum between Range1 and Range2

This is my query string. I used @ to put the whole string into 1 variable.