To add to other solutions :
Quote:
Can I concatenate a query?
The way you did it, it is safe, the problem is when you concatenate user input values in query.
Something common is:
Query = "SELECT "
Query += "colA, "
Query += "colB, "
Query += "colC, "
Query += " FROM SomeTable"
if (condition1)
Query += " Where colA = @Value;"
elseif (condition2)
Query += " Where colB = @Value;"
else
Query += " Where colC = @Value;"
This make 3 different queries depending on conditions, it can safely get much more complicated.
What is dangerous is:
UserInput= "My input;drop SomeTable"
Query = "SELECT "
Query += "colA, "
Query += "colB, "
Query += "colC, "
Query += " FROM SomeTable"
Query += " Where colA = "
Query += UserInput
Query += ";"
Thanks to malicious input, you end up with this query :
SELECT colA, colB, colC, FROM SomeTable Where colA = My input;
drop SomeTable;
User input is promoted to code. That is "SQL Injection"