You create an application by using the Microsoft .NET Framework 3.5 and Microsoft ADO.NET.
The application contains a TextBox control named txtProductID. The application will return a list of active products that have the ProductID field equal to the txtProductID.Text property.
You write the following code segment. (Line numbers are included for reference only.)
01 private DataSet GetProducts(SqlConnection cn) {
02 SqlCommand cmd = new SqlCommand();
03 cmd.Connection = cn;
04 SqlDataAdapter da = new SqlDataAdapter(cmd);
05 DataSet ds = new DataSet();
06
07 da.Fill(ds);
08 return ds;
09 }
You need to populate the DataSet object with product records while avoiding possible SQL injection attacks.
Which code segment should you insert at line 06?
A.
cmd.CommandText = string.Format("sp_sqlexec ‘SELECT ProductID, Name FROM Product WHERE ProductID={0} AND IsActive=1’", txtProductID.Text);
B.
cmd.CommandText = string.Format("SELECT ProductID, Name FROM Product WHERE ProductID={0} AND IsActive=1", txtProductID.Text);
cmd.Prepare();
C.
cmd.CommandText = string.Format("SELECT ProductID, Name FROM Product WHERE ProductID={0} AND IsActive=1", txtProductID.Text);
cmd.CommandType = CommandType.TableDirect;
D.
cmd.CommandText = "SELECT ProductID, Name FROM Product WHERE ProductID=@productID AND IsActive=1";
cmd.Parameters.AddWithValue("@productID", txtProductID.Text);