is this the correct statement if not plz help me correct it.
x
String query = "delete from favourite where username=" + Session["username"].ToString() + "and id=" + id;Advertisement
Answer
If your question is purely about SQL, then yes, what you have will work. But, as you have it, you have a very serious security problem. Google “SQL injection attacks”. I’m not sure what you are using for data access (ADO.NET? Entiry Framework? Dapper?) But regardless, you’ll want to use parameters:
var sql = "delete from favourite where username=@username and id=@id";and then:
cmd.Parameters.AddWithValue("@username", Session["username"].ToString());cmd.Parameters.AddWithValue("@id", id);But even then, AddWithValue isn’t the best way, because it can cause type conversion issues once the query hits the database. You are better off doing it longhand:
var userNameParam = new SqlParameter("username", SqlDbType.VarChar);userNameParam.Value = Session["username"].ToString();var idParam = new SqlParameter("id", SqlDbType.Int);idParam .Value = id;command.Parameters.Add(salaryParam);command.Parameters.Add(idParam );