Parameterize SQL query

Question

Many posts about Parameters in SQL with C# but I am still missing something. I am not getting an error message but no data is inserted. What is missing? I have text boxes na

Answer 1

There are many ways of going about it. One of the ways is to replace the lines in the try block with:

comm.Parameters.AddWithValue("@first", first);
comm.Parameters.AddWithValue("@last", last);
comm.Parameters.AddWithValue("@addy", addy);
comm.Parameters.AddWithValue("@city1", city1);
comm.Parameters.AddWithValue("@stat", stat);
comm.Parameters.AddWithValue("@zippy", zippy);

If you do that, you dont need all the SqlParameter initializations

And you obviously need to execute the command:

comm.ExecuteNonQuery();

Answer 2

You forgot to execute the command ;)

EDIT: you also didn't use the parameters that you created at the beginning of the method.

    ...
    try
    {
        conn.Open();
        //SqlTransaction trans = conn.BeginTransaction();
        //comm.Transaction = trans;
        comm.Parameters.Add(firstparam);
        comm.Parameters.Add(lastparam);
        comm.Parameters.Add(addressparam);
        comm.Parameters.Add(cityparam);
        comm.Parameters.Add(stateparam);
        comm.Parameters.Add(zipparam);

        // This is what you forgot:
        comm.ExecuteNonQuery();
    }
    ...

BTW, don't do things like that:

    catch (Exception ex1)
    {
        throw new Exception(ex1.ToString(), ex1);
    }

It's useless, it just adds a new level of exception without adding anything useful. Just let the exception bubble up the stack until it reaches a catch block that actually does something useful.

Answer 3

This will be much shorter:

using (SqlConnection connection = new SqlConnection(connectionString))
using (SqlCommand command = connection.CreateCommand())
{
    command.CommandText = "INSERT INTO Contacts ([First], [Last], [Address], [City], [State], [ZIP]) VALUES (@first, @last, @address, @city, @state, @zip)";

    command.Parameters.AddWithValue("@first", first);
    // or
    // command.Parameters.Add("@first", SqlDbType.Type).Value = first;
    // ...

    connection.Open();
    command.ExecuteNonQuery();
}

---

But first of all here's what you missed:

comm.Parameters.Add(firstparam);
// instead of
// comm.Parameters.Add("@first", SqlDbType.Text);

and

command.ExecuteNonQuery();

Answer 4

Firstly you are not executing the command, you'll need to call comm.ExecuteNonQuery();, secondly your SQL string will be wrong. This line:

var sqlstring = string.Format("INSERT INTO Contacts ([First] ,[Last] ,[Address] ,[City],
[State],[ZIP]) VALUES {0}, {1}, {2}, {3}, {4}, {5})", @first, @last, @addy, @city1, 
@stat, @zippy)

Can just be:

var sqlstring = "INSERT INTO Contacts ([First] ,[Last] ,[Address] ,[City] ,[State],[ZIP]) 
                 VALUES (@first, @last, @addy, @city1, @stat, @zippy)";

Thridly you are not actually adding your parameters to your command. You create a parameter like so:

SqlParameter zipparam;
zipparam = new SqlParameter();
zipparam.ParameterName = "@zippy";
zipparam.Value = zippy;

But you are adding this:

comm.Parameters.Add("@zippy", SqlDbType.SmallInt);

with no reference to zipparam. This means that the value zippy is never actually added to the command. You could do this all in one line using:

comm.Parameters.Add(new SqlParameter(@Zippy, SqlDbType.SmallInt)).Value = zippy;

Answer 5

The key issues in the provided sample are:

• The definition of the sqlstring should have the parameter definitions in the string
• The Call Stack is being reset when the error is thrown by creating a new error object
• The SqlConnection and SqlCommand object are not begin disposed correctly (for example, the conn.Close() call is not part of the Finally section of the exception handler.
• The Value of the SqlParameters are not being set
• The Execute xx method on the SqlCommand object is not begin called
• String Values are stored in a varchar type, not Text. Text is the deprecated SQL Server datatype to store blob.

I would Refactor the code as follows:

     private void enter_button_Click(object sender, EventArgs e)
     {
        var first = fname.Text; 
        var last = lname.Text;
        var addy = address.Text;
        var city1 = city.Text;
        var stat = state.Text;
        var zippy = zip.Text;

        Validate(fname);
        Validate(lname);
        Validate(city);
        Validate(state);
        exValidate(address);
        numValidate(zip);

        using (var conn = new SqlConnection("Data Source=TX-MANAGER;Initial Catalog=Contacts;Integrated Security=True"))
        using (var cmd = new SqlCommand(@"INSERT INTO Contacts ([First], [Last], [Address], [City], [State], [ZIP]) VALUES (@first, @last, @addy, @city1, @stat, @zippy)", conn))
        {
            cmd.Parameters.AddRange(
                new[]
                    {
                        new SqlParameter(@"first", SqlDbType.VarChar).Value = first,
                        new SqlParameter(@"last", SqlDbType.VarChar).Value = last,
                        new SqlParameter(@"addy", SqlDbType.VarChar).Value = addy,
                        new SqlParameter(@"city1", SqlDbType.VarChar).Value = city1,
                        new SqlParameter(@"state", SqlDbType.VarChar).Value = stat,
                        new SqlParameter(@"zippy", SqlDbType.SmallInt).Value = zippy
                    });
            conn.Open();
            cmd.ExecuteNonQuery();
        }
    }

Note: I prefer supplying the datatype of parameters since SqlCE does not always work correctly when no type is supplied.