C# SqlParameter

Data

SqlParameter makes SQL queries easier to build. It is part of the System.Data.SqlClient namespace. It provides an easy and fast way to parameterize queries. This yields bulletproof and simple code that accesses data.

SqlClient

Example

First we see an example that uses the simplest overload of the SqlParameter instance constructor and adds it to the SqlCommand type's Parameter collection. There are other ways to add parameters to an SQL query.

SqlCommand

Here:The most important thing is the principle of parameterized queries when using SQL databases.

Program that uses SqlParameter on command: C#

using System;
using System.Data.SqlClient;

class Program
{
    static void Main()
    {
	//
	// The name we are trying to match.
	//
	string dogName = "Fido";
	//
	// Use preset string for connection and open it.
	//
	string connectionString =
	    ConsoleApplication1.Properties.Settings.Default.ConnectionString;
	using (SqlConnection connection = new SqlConnection(connectionString))
	{
	    connection.Open();
	    //
	    // Description of SQL command:
	    // 1. It selects all cells from rows matching the name.
	    // 2. It uses LIKE operator because Name is a Text field.
	    // 3. @Name must be added as a new SqlParameter.
	    //
	    using (SqlCommand command = new SqlCommand(
		"SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
	    {
		//
		// Add new SqlParameter to the command.
		//
		command.Parameters.Add(new SqlParameter("Name", dogName));
		//
		// Read in the SELECT results.
		//
		SqlDataReader reader = command.ExecuteReader();
		while (reader.Read())
		{
		    int weight = reader.GetInt32(0);
		    string name = reader.GetString(1);
		    string breed = reader.GetString(2);
		    Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}",
			weight,
			name,
			breed);
		}
	    }
	}
    }
}

Output
    (This varies depending on your database contents.)

Weight = 130, Name = Fido, Breed = Bullmastiff
Using keyword

The program shows the SqlConnection, SqlCommand and SqlDataReader pattern. These objects can all be wrapped in "using" statements to ensure the best cleanup of their resources. The important part is where a new SqlParameter is added.

Using Statement Calls DisposeClass shapes

SqlParameter has several overloaded constructors. You will not need most of them. For simple cases, you can simply use the constructor with two parameters. The first parameter specifies a string that must match the query variable.

And:The second parameter specifies the value you want to be specified for that field.

Note:In the example, the string "Fido" is specified to match the Name column in the Dogs1 table.

SQL injection

Warning: exclamation mark

The SqlParameter pattern shown here is ideal for preventing hacker attempts on valuable web sites or other databases. Hackers insert "control characters" into queries issued over the Internet, in an attempt to gain control.

Tip:The SqlParameter syntax here will avoid all such injection attacks, rejecting the command by throwing an exception.

Note:For an illustration of SQL injection, see the XKCD web comic that shows how a student's name could influence the database integrity.

xkcd Comic: xkcd.com

Summary

The C# programming language

We used SqlParameter to parameterize a query in SQL Server using the C# language. The example here will not work for you immediately because you must have a database and connection string in your project first.

However:The general idea of using SqlParameter in this way to avoid SQL attacks is useful.

Thus:Performing database queries is a multi-step process in the .NET Framework. Some setup code is required.


C#: Data