Suppose you have to compare the value of a paticular cell with date field which comes from the database. Lets keep the date field in a variablesi,e.
CDateVariable = CDate(ds.Tables(1).Rows(0)(“DateFromDatabase”))

Keep the value in  the cell that u want to compare in a label control. Then check for the control in  the code behind in this way:
If e.Row.RowType = DataControlRowType.DataRow Then
Now Define a label variable in code behind
Dim lbl As Label
Now by using findcontrol attribute, assign the value of the label control in the cell to the variable ‘ lbl ‘ .
lbl = CType(e.Row.Cells(10).FindControl(“lblLastCorpReview”), Label)
Check wether the value in the label control is blank or not.
If lbl.Text <> “” Then
After that as we are comparing the date variable change the data type of the value in the label control to date in this fashion:
tLastCorpReview = CDate(lbl.Text)
Now compare the date ( or any condition you want):
If (DateTime.Compare(tLastCorpReview, DateFromDatabase)) < 0 Then
If the condition is true ( or false accordin to your bussiness logic) change the color of the cell using line below:(‘ changing the color of 10^th cell of each row)
e.Row.Cells(10).BackColor = System.Drawing.ColorTranslator.FromHtml(“#FFFFE6″)
End If
End If
End If

empID = Request.QueryString(”emp_id”)
SqlQuery=”SELECT emp_Name FROM employee WHERE emp_id= ‘ ” + empID + “ ‘ “
Now, if user clicks or inputs something to get the name of enployee, then he will get it. Like he can input the emp_id as 5 . But there’s no guarantee that all users will input just a number or what the programmer expects them to input. Just think what happens if any user unintentionally or a hacker intentionally inputs this :’ 5 ; DROP TABLE employee —‘ . What this does is it terminates the current statement with semicolon ( ; ) i.e, it terminates SELECT emp_name FROM employee WHERE emp_id=5 . And then another statement starts i.e, DROP TABLE employee . After that the ‘ — ‘ at last comments out everything after that.
This creates an SQL injection and can leave u completely breathless. Not only dropping the tables but hackers can even perform a join and retrieve all your data.
Now lets move into the solution for SQL injection.
1. Don’t use dynamic SQL statements. Even if you want to use , then use only with type-safe parameter encoding. Like done below

Dim empID AS String
Dim cmd AS New SqlCommand
Dim param AS New SqlParameter
empID=Request.QueryString ( “emp_id”)
cmd= “SELECT emp_Name FROM employee WHERE emp_id= @ empID
param((“empID”, SqlDbType.VarChar)
cmd.Parameters.Add(param)

2. Use stored procedures always as far as possible.
Conduct Security Review.

Slolution :

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd“>
<html xmlns=”http://www.w3.org/1999/xhtml“>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<title>Untitled Document</title>
</head>
<body>
<?php

//connect to the database
 $user_name=”root”;
 $password=”password”;
 $database=”database_name”;
 $server=”localhost”;
 
 $db_handle=mysql_connect($server,$user_name,$password);
 $dbfound=mysql_select_db($database);
 
 if($dbfound)
 {
  echo “connected to database <br>”;
  $sql = “write the sql statement here”;
  $result = mysql_query($sql);

  while ($row = mysql_fetch_row($result)) {
   // check if file exists
   if file_exists(row['image'])
   {
    //copy the file

$source=’$_SERVER['DOCUMENT_ROOT'].”/images/”.row['image']‘;
$destination=’$_SERVER['DOCUMENT_ROOT'].”/tiles/”.row['products_style_code'].” - “.row['products_name'].”.jpg’

copy($source,$destination);   
   }
  }
 }
 else
 {
  echo “cannot connect to the database”;
 }
?>
</body>
</html>