DQDQbJA%{jPy{PwVPO5ODyqO{{{{qDyq{qjvq{upMuyuRuiyPyOPyO'yyyyyyyqaAabEEABBXBC| 646649464}4Z-~CWZC RZ-

SqlParameter.` This class makes SQL queries easier to build. It is part of the System.Data.SqlClient namespace. It is an easy way to parameterize queries.`An example.` Here we see the simplest overload of the SqlParameter instance constructor and adds it to the SqlCommand type's Parameter collection. There are other ways to add parameters. `SqlCommand `sqlcommand`The most important thing is the principle of parameterized queries when using SQL databases.`Example, notes.` The program shows the SqlConnection, SqlCommand and SqlDataReader pattern. These objects can be wrapped in "using" statements to ensure the best cleanup of their resources. `Using `using`Example, notes 2.` SqlParameter has several overloaded constructors. You will not need most of them. For simple cases, you can simply use the constructor with two parameters. `Parameters: `The first parameter specifies a string that must match the query variable. The second specifies the value for that field.`In the example, the string "Fido" is specified to match the Name column in the Dogs1 table.`SQL injection.` The pattern shown here is ideal for preventing database attacks. Hackers insert "control characters" into queries issued over the Internet, in an attempt to gain control. `The SqlParameter syntax here will avoid all such injection attacks, rejecting the command by throwing an exception.`Empty array tip.` Sometimes we need an empty array of SqlParameter. We can use an empty array initializer to avoid having a null array. `Arrays `array`Thanks to Dean Goddard for writing in with a tip on how to use an empty SqlParameter array.`A summary.` We used SqlParameter to parameterize a query in SQL Server. The example here will not work immediately—you must have a database and connection string in your project first. `SqlClient `sqlclient`The general idea` of using SqlParameter in this way to avoid SQL attacks is useful. Performing database queries is a multi-step process in the .NET Framework. Some setup code is required.

456 55; 55.Data.SqlClient555 { 454{6 44// 445The name we are trying5match. 44// 4465 dogName56"Fido"6;6 44// 445Use preset 5 5connection5open it. 44// 4465 connection5 = 4445Application1.Properties.Settings.Default.Connection5; 445(SqlConnection connection55SqlConnection(connection5)) 44{ 444connection.Open();6 444// 4445Description of SQL command: 44451. It selects all cells from rows matching the name. 44452. It uses LIKE operator because Name is a Text field. 44453. @Name must be added as a 5SqlParameter. 444// 44465(SqlCommand command55SqlCommand( 44446"SELECT * FROM Dogs1 WHERE Name LIKE @Name"6, connection)) 444{6 4444// 44445Add 5SqlParameter5the command. 4444// 44446command.Parameters.556SqlParameter6(6"Name"6, dogName));6 4444// 4444555the SELECT 5s. 4444// 44446SqlData5er reader5command.Execute5er(); 44445 (reader.5()) 4444{ 444445weight5reader.GetInt32(0); 444445 name5reader.Get5(1); 444445 breed5reader.Get5(2); 4444456"Weight5{0}, Name5{1}, Breed5{2}"6, 444444weight, 444444name, 444444breed); 4444} 444} 44} 4} } 6 46(This varies depending on your database contents.)6 Weight5130, Name5Fido, Breed5Bullmastiff6 var parameters556SqlParameter[] { };6

"g3SqlParameter on commandcreates empty array