How use the parameterized queries in C#

No.of Views1053
Bookmarked0 times
Downloads 
Votes0
By  amalhashim   On  05 Apr 2010 08:04:19
Tag : CSharp , How to
Skill Level: Beginner
How use the parameterized queries in C#
emailbookmarkadd commentsprint

Images in this article missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at info@codegain.com

 

Introduction


In msdn forums, a common question is regarding database retrieval and updation. To help such users I thought of bringing up this article. I want to give a concrete example, which will demonstrate the usage. To start with, I have a Employee database with a table named EmployeeDetails witht the following structure.

 

Image Loading

In the below code sample, I will show how to insert a record and get it back. To avoid the problems that can cause from SQL Injection, .Net framework has introduced Parameterized queries. Another way to get around this situation is using stored procedures.

using System;
using System.Data.SqlClient;

namespace ConsoleApplication2
{    
    class Program
    {
        public static void Main(string[] args)
        {
            string connectionString = "server=.;initial catalog=employee;user id=sa;password=sa123";

            using (SqlConnection conn = new SqlConnection(connectionString))
            {
                conn.Open();
                using (SqlCommand cmd = new SqlCommand("INSERT INTO EmployeeDetails Values(@Id, @Name, @Address)", conn))
                {
                    cmd.Parameters.Add("@Id", System.Data.SqlDbType.Int);
                    cmd.Parameters.Add("@Name", System.Data.SqlDbType.VarChar);
                    cmd.Parameters.Add("@Address", System.Data.SqlDbType.VarChar);

                    cmd.Parameters["@Id"].Value = 4;
                    cmd.Parameters["@Name"].Value = "Rooney";
                    cmd.Parameters["@Address"].Value = "Manchester United";

                    int rowsInserted = cmd.ExecuteNonQuery();

                    Console.WriteLine("Rows inserted = " + rowsInserted);
                }

                using (SqlCommand cmd = new SqlCommand("SELECT * FROM EmployeeDetails", conn))
                {
                    SqlDataReader reader = cmd.ExecuteReader();
                    if (reader.HasRows)
                    {
                        while (reader.Read())
                        {
                            Console.WriteLine(reader["Id"].ToString() + " " + reader["Name"].ToString() + " " + reader["Address"].ToString());
                        }
                    }
                    else
                    {
                        Console.WriteLine("No Rows");
                    }
                }
            }
        }
    }
}

Hope this was helpful.

 
Sign Up to vote for this article
 
About Author
 
amalhashim
Occupation-Software Engineer
Company-Aditi Technologies
Member Type-Senior
Location-Not Provided
Joined date-07 Jun 2009
Home Page-http://lamahashim.blogspot.com
Blog Page-http://lamahashim.blogspot.com
I have done my masters in Computer Applications and graduation in Computer Science. I have great passion in working with Microsoft tool and technologies. I am also a Microsoft Most Valuable Professional. Personally my objective is to design/develop applications which eases user experience and performs better in long run.
 
 
Other popularSectionarticles
Comments
There is no comments for this articles.
Leave a Reply
Title:
Display Name:
Email:
(not display in page for the security purphase)
Website:
Message:
Please refresh your screen using Ctrl+F5
If you can't read this number refresh your screen
Please input the anti-spam code that you can read in the image.
^ Scroll to Top