string alpha="this is text";
string sql = "INSERT INTO dokimastikospinakas (pliroforia) VALUES ('alpha')";
Which is the right syntax to pass a c# variable into an sql command?
-
What does your research tell you? google.co.uk/search?q=c%23+variable+into+sql+commandgbn– gbn2011-08-16 15:19:21 +00:00Commented Aug 16, 2011 at 15:19
-
2See the paramaterized example; stackoverflow.com/questions/32000/c-sqlclient-simplest-insertAlex K.– Alex K.2011-08-16 15:19:59 +00:00Commented Aug 16, 2011 at 15:19
-
1This must be the easiest c#/sql question to answer with google. have you made any effort?MatBailie– MatBailie2011-08-16 15:20:54 +00:00Commented Aug 16, 2011 at 15:20
Add a comment
|
7 Answers
Here's just one very simple method:
var yourTextValue = "this is text";
using (var db = new SqlConnection()) {
db.Open();
var command =
new SqlCommand("INSERT INTO dokimastikospinakas (pliroforia) VALUES (@textValue);", db);
command.Parameters.AddWithValue("@textValue", yourTextValue);
command.ExecuteNonQuery();
}
EDIT: You'd actually need some connection string for SqlConnection constructor, of course. And modified variable names by popular demand.
4 Comments
MatBailie
I think the
@id variable name is a bit weak, but the answer is correct.
gbn
Using "id" for a string variable?
Yuck
I mean, since I don't know what a pliroforia is I couldn't infer context. I guess I could have called the variable
@phlargosmarfin instead.
ChrisLively
@Yuck: Yes you could have.. and it would garner much more votes for the laugh. ;) +1
To avoid sql injection vulnerabilities, I recommend:
string alpha="this is text";
SqlCommand sqlComm = new SqlCommand();
sqlComm.CommandText = "INSERT INTO dokimastikospinakas (pliroforia) VALUES (@var)";
sqlComm.AddWithValue("@var", alpha);
..etc.
1 Comment
Jenna Leaf
sqlComm.CommandText = "INSERT INTO dokimastikospinakas (pliroforia) VALUES ('@var')" would not work! You need to take out those single quotes from @var in that statement!
Look into using parameterized queries.
SqlCommand command = new SqlCommand();
command.Parameters.Add("@alpha").Value = alpha;
command.CommandText = sql;
And your query would look like:
string sql = "INSERT INTO dokimastikospinakas (pliroforia) VALUES (@alpha)";
Comments
string insert = "INSERT INTO dokimastikospinakas (pliroforia) VALUES (@alpha)";
using (SqlConnection connection = new SqlConnection(...))
{
connection.Open();
using (SqlCommand command = new SqlCommand(insert, connection))
{
command.Parameters.Add("@alpha", alpha);
command.ExecuteNonQuery();
}
}
Comments
Are you using ADO.NET? Then parameterized queries are what you want:
IDbCommand command = new IDbCommand();
// Set up command connection
command.Text = "INSERT INTO dokimastikospinakas (pliroforia) VALUES (@alpha)";
command.Parameters.Add(new SqlParameter("@alpha", alpha));
The above code snippet of course depends on the type of database you are using (especially which type of SqlParameter you add.
Comments
Example using a OracleCommand object: OraCon is the OracleConnection.
string sql = "INSERT INTO dokimastikospinakas (pliroforia) VALUES ( :Alpha )";
OracleCommand cmd = new OracleCommand(sql, OraCon);
cmd.CommandType = CommandType.Text;
cmd.Parameters.Add(":Alpha", alpha);
cmd.ExecuteNonQuery();
Comments
string alpha;
string sql = "INSERT INTO dokimastikospinakas (pliroforia) VALUES ('" + alpha + "')";
this is the easiest way to do it, but it is not safe from SQL injection attacks. Instead, you should first check the value of alpha to ensure it is safe to use in a query.
