Parameterize SQL query
Many posts about Parameters in SQL with C# but I am still missing something. I am not getting an error message but no data is inserted. What is missing? I have text boxes na
-
The key issues in the provided sample are:
- The definition of the
sqlstringshould have the parameter definitions in the string - The Call Stack is being reset when the error is thrown by creating a new error object
- The
SqlConnectionandSqlCommandobject are not begin disposed correctly (for example, theconn.Close()call is not part of theFinallysection of the exception handler. - The
Valueof theSqlParametersare not being set - The
Executexx method on theSqlCommandobject is not begin called - String Values are stored in a
varchartype, notText. Text is the deprecated SQL Server datatype to store blob.
I would Refactor the code as follows:
private void enter_button_Click(object sender, EventArgs e) { var first = fname.Text; var last = lname.Text; var addy = address.Text; var city1 = city.Text; var stat = state.Text; var zippy = zip.Text; Validate(fname); Validate(lname); Validate(city); Validate(state); exValidate(address); numValidate(zip); using (var conn = new SqlConnection("Data Source=TX-MANAGER;Initial Catalog=Contacts;Integrated Security=True")) using (var cmd = new SqlCommand(@"INSERT INTO Contacts ([First], [Last], [Address], [City], [State], [ZIP]) VALUES (@first, @last, @addy, @city1, @stat, @zippy)", conn)) { cmd.Parameters.AddRange( new[] { new SqlParameter(@"first", SqlDbType.VarChar).Value = first, new SqlParameter(@"last", SqlDbType.VarChar).Value = last, new SqlParameter(@"addy", SqlDbType.VarChar).Value = addy, new SqlParameter(@"city1", SqlDbType.VarChar).Value = city1, new SqlParameter(@"state", SqlDbType.VarChar).Value = stat, new SqlParameter(@"zippy", SqlDbType.SmallInt).Value = zippy }); conn.Open(); cmd.ExecuteNonQuery(); } }Note: I prefer supplying the datatype of parameters since SqlCE does not always work correctly when no type is supplied.
- The definition of the
加载中...
- 热议问题