C# SqlParameter Example: Constructor, Add

This C# program uses the SqlParameter type. It relies on System.Data.SqlClient.
SqlParameter. This class makes SQL queries easier to build. It is part of the System.Data.SqlClient namespace. It is an easy way to parameterize queries.
An example. Here we see the simplest overload of the SqlParameter instance constructor and adds it to the SqlCommand type's Parameter collection. There are other ways to add parameters.SqlCommand

Here: The most important thing is the principle of parameterized queries when using SQL databases.

C# program that uses SqlParameter on command using System; using System.Data.SqlClient; class Program { static void Main() { // // The name we are trying to match. // string dogName = "Fido"; // // Use preset string for connection and open it. // string connectionString = ConsoleApplication1.Properties.Settings.Default.ConnectionString; using (SqlConnection connection = new SqlConnection(connectionString)) { connection.Open(); // // Description of SQL command: // 1. It selects all cells from rows matching the name. // 2. It uses LIKE operator because Name is a Text field. // 3. @Name must be added as a new SqlParameter. // using (SqlCommand command = new SqlCommand( "SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection)) { // // Add new SqlParameter to the command. // command.Parameters.Add(new SqlParameter("Name", dogName)); // // Read in the SELECT results. // SqlDataReader reader = command.ExecuteReader(); while (reader.Read()) { int weight = reader.GetInt32(0); string name = reader.GetString(1); string breed = reader.GetString(2); Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}", weight, name, breed); } } } } } Output (This varies depending on your database contents.) Weight = 130, Name = Fido, Breed = Bullmastiff
Example, notes. The program shows the SqlConnection, SqlCommand and SqlDataReader pattern. These objects can be wrapped in "using" statements to ensure the best cleanup of their resources.Using
Example, notes 2. SqlParameter has several overloaded constructors. You will not need most of them. For simple cases, you can simply use the constructor with two parameters.

Parameters: The first parameter specifies a string that must match the query variable. The second specifies the value for that field.

Note: In the example, the string "Fido" is specified to match the Name column in the Dogs1 table.

SQL injection. The pattern shown here is ideal for preventing database attacks. Hackers insert "control characters" into queries issued over the Internet, in an attempt to gain control.

Tip: The SqlParameter syntax here will avoid all such injection attacks, rejecting the command by throwing an exception.

Empty array tip. Sometimes we need an empty array of SqlParameter. We can use an empty array initializer to avoid having a null array.Array

Tip: Thanks to Dean Goddard for writing in with a tip on how to use an empty SqlParameter array.

C# program that creates empty array var parameters = new SqlParameter[] { };
A summary. We used SqlParameter to parameterize a query in SQL Server. The example here will not work immediately—you must have a database and connection string in your project first.SqlClient
The general idea of using SqlParameter in this way to avoid SQL attacks is useful. Performing database queries is a multi-step process in the .NET Framework. Some setup code is required.
© 2007-2019 Sam Allen. Every person is special and unique. Send bug reports to
Dot Net Perls