Creating a Parameterized query that allows user input stored as a string to compare to a database field

Question

I am almost 100% sure my problem is caused when adding an nvarchar value as my search key to the parameterized query. The problem arises that if I have apostrophe's surrounding @exp which is meant to be my place holder the query is interpreted as @exp being my search key rather than a place holder. I would remove the apostrophe's except that the query is not syntactically correct unless the search key is surrounded by apostrophe's. It has been explained to me that I cannot just add the apostrophe's to the value being inserted into the parameter because the execution plan has already been evaluated and the search key value will literally be 'Spanish' rather than Spanish. My Question is how do I get around this. Please see the explanation below for a more extensive background on the issue.

As the title states I have two dynamic queries one using parameterization and one not, both queries are meant to do the exact same thing. The queries are used to return the number of members that have Primary or Secondary Experience in a particular language.

That being said the queries are set-up like this. The connection is setup properly and the value of String exp that is used in both queries is hardcoded to Spanish for testing.

Not using parameterization:

SQl_Command.CommandText = "SELECT COUNT(ID) As MyCount FROM members WHERE ([Primary Exp] = '" + exp + "') AND ([Approved] = 'True') OR ([Approved] = 'True') AND ([Secondary Exp] ='" + exp + "')";

Using parameterization:

SQl_Command.CommandText = "SELECT COUNT(ID) As MyCount FROM members WHERE ([Primary Exp] = @exp) AND ([Approved] = 'True') OR ([Approved] = 'True') AND ([Secondary Exp] = @exp)";
SQl_Command.Parameters.Add("@exp", SqlDbType.NVarChar, 255).Value = exp;

I have also tried:

SqlParameter param = new SqlParameter("@exp", SqlDbType.NVarChar, 255);
param.Value = exp;
SQl_Command.Parameters.Add(param);

I'm fairly certain the error has to do with how I add the value to the parameter or how I add the parameter to the SqlCommand in the context I need apostrophe's surrounding the search key. If I put apostrophes in the CommandText at the time I also put the placeholders the query runs put returns 0. Printing out the command text I get

 `SELECT COUNT(ID) As MyCount FROM members WHERE ([Primary Exp] = '@exp') AND ([Approved] = 'True') OR ([Approved] = 'True') AND ([Secondary Exp] = '@exp')`

meaning it is searching for members with experience in @exp which would return 0 as no entries have that experience.

I would appreciate any help on this issue. If I have stated something in the above explanation that was wrong please let me know and if you would offer an explanation as to why I was wrong.

Answer 1

As mentioned by Chris, you do not need apostrophes for the parametrized version, since you are stating it is an NVarChar type. Although, I have noticed that in your non parametrized version, you are not searching an NVarChar string, as this would be

SQl_Command.CommandText = "SELECT COUNT(ID) As MyCount FROM members WHERE ([Primary Exp] = N'" + exp + "') AND ([Approved] = 'True') OR ([Approved] = 'True') AND ([Secondary Exp] = N'" + exp + "')";

On the other hand, the parametrized version will automatically search using a NVarChar string since this is the type being specified. This could be a reason for the different result sets between the two, depending on how you are saving the data (are you possibly saving it as a VarChar string instead of an NVarChar?), and if the data contains Unicode characters or not.

You may also want to look at the differences in the queries being sent to the database by using SQL Server Profiler

Apologies for posting this as an answer, but I dont have the reputation to post it as a comment :)