I have the following code
public DataTable PesquisarPorNome(string NomePesquisado)
{
try
{
DataTable tabela = new DataTable();
SqlDataAdapter adaptador = new SqlDataAdapter("SELECT * FROM tbEspecialidades WHERE NomeEspecialidade LIKE '%" + NomePesquisado + "%' ", conexao.StringConexao);
adaptador.Fill(tabela);
return tabela;
}
catch (Exception ex)
{
throw new Exception(ex.Message);
}
finally
{
conexao.DesconectarDoBanco();
}
}
I know that if I make this available, the cow goes to the swamp, because SQL Injection is there for this, but how to use parameters? Thanks