is this the correct statement if not plz help me correct it.
String query = "delete from favourite where username=" +
Session["username"].ToString() + "and id=" + id;
Advertisement
Answer
If your question is purely about SQL, then yes, what you have will work. But, as you have it, you have a very serious security problem. Google “SQL injection attacks”. I’m not sure what you are using for data access (ADO.NET? Entiry Framework? Dapper?) But regardless, you’ll want to use parameters:
var sql = "delete from favourite where username=@username and id=@id";
and then:
cmd.Parameters.AddWithValue("@username", Session["username"].ToString());
cmd.Parameters.AddWithValue("@id", id);
But even then, AddWithValue isn’t the best way, because it can cause type conversion issues once the query hits the database. You are better off doing it longhand:
var userNameParam = new SqlParameter("username", SqlDbType.VarChar);
userNameParam.Value = Session["username"].ToString();
var idParam = new SqlParameter("id", SqlDbType.Int);
idParam .Value = id;
command.Parameters.Add(salaryParam);
command.Parameters.Add(idParam );