Parameterized query issue
https://stackoverflow.com/questions/4733698
-
12-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I have my own DLL (for the data access layer). I use escaping characters technique to avoid the user input errors, but recently I decided to enhance my classes by using parameterized queries to prevent all possible errors. Will the modification be easy or difficult?
How to convert queries to use the parameterized queries?
Please show me some sample code to clarify the idea.
Solução
This is how i would do it in c#.net and SQL server.
string sQuery = @"INSERT INTO [UserJob]
(
[SIJCJOBID],
[SIJCCHDID],
[UserID],
[SageDatabaseID],
[MaxLineValue],
[MaxAuthorisationValue],
[UpdatedDate],
[UpdatedUser]
)
VALUES
(
@SIJCJOBID,
@SIJCCHDID,
@UserID,
@SageDatabaseID,
@MaxLineValue,
@MaxAuthorisationValue,
@UpdatedDate,
@UpdatedUser
)
SELECT SCOPE_IDENTITY() AS 'ID'";
using (SqlCommand oSqlCommand = new SqlCommand(sQuery))
{
oSqlCommand.Parameters.AddWithValue("@SIJCJOBID", this.SIJCJOBID);
oSqlCommand.Parameters.AddWithValue("@SIJCCHDID", this.SIJCCHDID);
oSqlCommand.Parameters.AddWithValue("@UserID", this.UserID);
oSqlCommand.Parameters.AddWithValue("@SageDatabaseID", this.SageDatabaseID);
oSqlCommand.Parameters.AddWithValue("@MaxLineValue", this.MaxLineValue);
oSqlCommand.Parameters.AddWithValue("@MaxAuthorisationValue", this.MaxAuthorisationValue);
oSqlCommand.Parameters.AddWithValue("@UpdatedDate", DateTime.Now);
oSqlCommand.Parameters.AddWithValue("@UpdatedUser", StaticStore.CurrentUser != null ? StaticStore.CurrentUser.UserName : "SYSTEM");
using (DataTable dt = DataTier.ExecuteQuery(oSqlCommand))
{
if (dt.Rows.Count == 1)
{
int.TryParse(dt.Rows[0]["ID"].ToString(), out m_UserJobID);
}
}
}
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
