public DataTable GetDataTable(string spname,string parameters) { DatatTable dt=new DataTable(); try { using(sqlcommand cmd=new sqlcommand("",conn)) { ArrayList aParams; string[] avalues=parameters.Split(new String[] {"_"},StringSplitOptions.None); cmd.CommandType=CommandType.StpredProcedure; cmd.CommandText=spname; cmd.CommandTimeOut=Convert.ToInt32(ConfigurationManager.AppSettings[CommandTimeOut]); aParams=GetParameterList(spname); for(Int32 i=0;i<aParams.Count;i++) { cmd.Parameters.Add(new SqlParameters((String)aParams[i],(String)aValues[i])); } conn.Open(); SqlDataReader strReader; strReader=cmd.ExecureReader(); While(strReader.Read()) { dt.Rows.Add(strReader[0].ToString()); } conn.Close(); } } Catch(Exception ex) { //return ex; } return dt; }
Note: I am getting SQL Injection issue on this line " strReader=cmd.ExecureReader();".Please give me some suggestion to resolve this SQL Injection issues.