Your code is
SQL Injection[
^] vulnerable.
Never use concatenated string! Use
parameterized queries[
^] instead.
For example:
string sConStr = @"your_connection_string_here!";
DataTable dt = new DataTable();
using(SqlConnection connection = new SqlConnection(sConStr))
{
connection.Open()
string sql = @"SELECT * FROM TableName WHERE TextField Like @SomeString;";
using (SqlCommand command = new SqlCommand(sql, connection))
{
command.Parameters.AddWithValue("@SomeString", "%whatever%")
using (SqlDataReader reader = command.ExecuteReader())
{
dt.Load(reader)
}
}
}
For further details, please read this:
Data Security: Stop SQL Injection Attacks Before They Stop You | Microsoft Docs[
^]
So, your final query should looks like:
string query3 = @"Select CONCAT (FirstName, ' ', MiddleName, ' ', LastName, ', ', EmailAddress ) As ContactDetails
From Contacts
WHERE CompanyID=@CompanyID And (IsDelete Is null Or IsDelete = 0)";
Then you have to pass
@CompanyID
parameter ;)
Good luck!