How to directly execute SQL query in C#?

Question

Ok, I have an old batch file that does exactly what I need. However, with out new administration we can't run the batch file anymore so I need to start up with C#.

I'm using Visual Studio C# and already have the forms set up for the application I need to build. (I'm learning as I go)

Here is what I need to accomplish in C# (This is the batch guts)

sqlcmd.exe -S .\PDATA_SQLEXPRESS -U sa -P 2BeChanged! -d PDATA_SQLEXPRESS  -s ; -W -w 100 -Q "SELECT tPatCulIntPatIDPk, tPatSFirstname, tPatSName, tPatDBirthday  FROM  [dbo].[TPatientRaw] WHERE tPatSName = '%name%' "

Basically it uses SQLCMD.exe with the already existing datasource called PDATA_SQLExpress.
I've searched and gotten close but I'm still at a loss on where to start.

Do you want to execute your existing batch file, or are you looking to connect to the database and run your query directly in C#? — Nate
– Nate, Commented Feb 11, 2014 at 17:56

The Guy with The Hat · Accepted Answer · 2014-03-28 14:21:15Z

184

To execute your command directly from within C#, you would use the SqlCommand class.

Quick sample code using paramaterized SQL (to avoid injection attacks) might look like this:

string queryString = "SELECT tPatCulIntPatIDPk, tPatSFirstname, tPatSName, tPatDBirthday  FROM  [dbo].[TPatientRaw] WHERE tPatSName = @tPatSName";
string connectionString = "Server=.\PDATA_SQLEXPRESS;Database=;User Id=sa;Password=2BeChanged!;";

using (SqlConnection connection = new SqlConnection(connectionString))
{
    SqlCommand command = new SqlCommand(queryString, connection);
    command.Parameters.AddWithValue("@tPatSName", "Your-Parm-Value");
    connection.Open();
    SqlDataReader reader = command.ExecuteReader();
    try
    {
        while (reader.Read())
        {
            Console.WriteLine(String.Format("{0}, {1}",
            reader["tPatCulIntPatIDPk"], reader["tPatSFirstname"]));// etc
        }
    }
    finally
    {
        // Always call Close when done reading.
        reader.Close();
    }
}

edited Mar 28, 2014 at 14:21

The Guy with The Hat

11.2k10 gold badges63 silver badges83 bronze badges

answered Feb 11, 2014 at 18:06

Nate

30.7k24 gold badges121 silver badges187 bronze badges

Sign up to request clarification or add additional context in comments.

13 Comments

Redracer68 Over a year ago

nate, I think I may be leaning this direction now. So far it seems like it will work, however I get an unhandled exception when running it. Invalid object namd 'dbo.TPatientRaw'.

Nate Over a year ago

@Redracer68 I suspect an issue with the SQL query. Try using the name of the table in your query, TPatientRaw instead of the full [dbo].[Table]

Redracer68 Over a year ago

Got it! Had to give a database to use as there is more than one! Works like a charm. Even pointed it to output the result to a richtextbox.

Fa773N M0nK Over a year ago

Is there any reason for the using on SqlConnection but not on SqlDataReader?

Nate Over a year ago

@Fa773NM0nK No good reason beyond its a sample and I forgot. For anyone wondering, here's a good read on why its a good idea: stackoverflow.com/questions/3386770/using-on-sqldatareader

|

Nicholas Carey · Accepted Answer · 2014-02-11 18:46:47Z

Something like this should suffice, to do what your batch file was doing (dumping the result set as semi-colon delimited text to the console):

// sqlcmd.exe
// -S .\PDATA_SQLEXPRESS
// -U sa
// -P 2BeChanged!
// -d PDATA_SQLEXPRESS
// -s ; -W -w 100
// -Q "SELECT tPatCulIntPatIDPk, tPatSFirstname, tPatSName, tPatDBirthday  FROM  [dbo].[TPatientRaw] WHERE tPatSName = '%name%' "

DataTable dt            = new DataTable() ;
int       rows_returned ;

const string credentials = @"Server=(localdb)\.\PDATA_SQLEXPRESS;Database=PDATA_SQLEXPRESS;User ID=sa;Password=2BeChanged!;" ;
const string sqlQuery = @"
  select tPatCulIntPatIDPk ,
         tPatSFirstname    ,
         tPatSName         ,
         tPatDBirthday
  from dbo.TPatientRaw
  where tPatSName = @patientSurname
  " ;

using ( SqlConnection connection = new SqlConnection(credentials) )
using ( SqlCommand    cmd        = connection.CreateCommand() )
using ( SqlDataAdapter sda       = new SqlDataAdapter( cmd ) )
{
  cmd.CommandText = sqlQuery ;
  cmd.CommandType = CommandType.Text ;
  connection.Open() ;
  rows_returned = sda.Fill(dt) ;
  connection.Close() ;
}

if ( dt.Rows.Count == 0 )
{
  // query returned no rows
}
else
{

  //write semicolon-delimited header
  string[] columnNames = dt.Columns
                           .Cast<DataColumn>()
                           .Select( c => c.ColumnName )
                           .ToArray()
                           ;
  string   header      = string.Join("," , columnNames) ;
  Console.WriteLine(header) ;

  // write each row
  foreach ( DataRow dr in dt.Rows )
  {

    // get each rows columns as a string (casting null into the nil (empty) string
    string[] values = new string[dt.Columns.Count];
    for ( int i = 0 ; i < dt.Columns.Count ; ++i )
    {
      values[i] = ((string) dr[i]) ?? "" ; // we'll treat nulls as the nil string for the nonce
    }

    // construct the string to be dumped, quoting each value and doubling any embedded quotes.
    string data = string.Join( ";" , values.Select( s => "\""+s.Replace("\"","\"\"")+"\"") ) ;
    Console.WriteLine(values);

  }

}

just a small correction: Console.WriteLine(values) --> Console.WriteLine(data)

Kaspars Ozols · Accepted Answer · 2018-03-07 07:10:44Z

4

IMPORTANT NOTE: You should not concatenate SQL queries unless you trust the user completely. Query concatenation involves risk of SQL Injection being used to take over the world, ...khem, your database.

If you don't want to go into details how to execute query using SqlCommand then you could call the same command line like this:

string userInput = "Brian";
var process = new Process();
var startInfo = new ProcessStartInfo();
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = string.Format(@"sqlcmd.exe -S .\PDATA_SQLEXPRESS -U sa -P 2BeChanged! -d PDATA_SQLEXPRESS  
     -s ; -W -w 100 -Q "" SELECT tPatCulIntPatIDPk, tPatSFirstname, tPatSName,
     tPatDBirthday  FROM  [dbo].[TPatientRaw] WHERE tPatSName = '{0}' """, userInput);

process.StartInfo = startInfo;
process.Start();

Just ensure that you escape each double quote " with ""

edited Mar 7, 2018 at 7:10

answered Feb 11, 2014 at 17:53

Kaspars Ozols

7,0371 gold badge22 silver badges33 bronze badges

10 Comments

Redracer68 Over a year ago

Wow that was quick! And it's exactly what I was looking for!

Redracer68 Over a year ago

Quick question though. How would I add user input to this? Say from a textbox named GFIDuserinput in the same form? In the actual sqlcmd.exe string %name% is what needs to be supplied.

Brian Over a year ago

@Redracer68 - in the case you mentioned above, you could just concatenate the %name% value from the .Text property of the textbox.

Curtis Rutland Over a year ago

I wouldn't suggest directly concatenating user input unless you want to be vulnerable to SQL injection.

Redracer68 Over a year ago

That isn't really a concern right now. These are closed-off networks with no real security threats like that. It's cool though. I should be able to take it from here. Thanks a ton!

|

Collectives™ on Stack Overflow

How to directly execute SQL query in C#?

3 Answers 3

13 Comments

1 Comment

10 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

13 Comments

1 Comment

10 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related