You havea number of options here.
I prefer using stored procedures.
But if infact you are using dynamic T-SQL, then use parameters.
for example:
Dim cmd as new SqlCommand
cmd.CommandType = Data.CommandType.Text
cmd.CommandText = "SELECT * FROM [bets] WHERE closed = @int"
cmd.Parameters.Add("@int", SqlDbType.SmallInt).Value = [some value].
next put a "validaterequest=true" on top of your page.
|