using a label as a condition in sql statement?

protected void goto_btn_Click(object sender, EventArgs e)
    {
        lblevent.Text == Request.QueryString["name"]
        const string SQL = "SELECT SMS FROM Event WHERE EventName = "I want this to be lblevent";
                     }

This lbleven开发者_StackOverflow社区t is retrieved from an item selected in a listbox in another page using request.querystring. I want to use the lblevent in the where condition to prevent hardcoding. I know that I can simply type the event name, but since I have more than 1 event i cannot do so.. Please help. Thanks

---

Use a parameterized query:

string EventName = Request.QueryString["name"];
string Sql = "SELECT SMS FROM Event WHERE EventName = @EventName";
SqlCommand Command = new SqlCommand(Sql, connection);
Command.Parameters.Add("@EventName", EventName);

And, as a cautionary tale, never format or append to a SQL query string directly:

//Don't do this
string Sql = "SELECT SMS FROM Event WHERE EventName = " + Request.QueryString["name"];
//Or this
string Sql = String.Format("SELECT SMS FROM Event WHERE EventName = {0}", Request.QueryString["name"]);

---

basics of non sql injection suggest that matt's answer isnt the best idea. Please use something a little safer. I believe SQLParameter does automatic escaping. http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx