Inserting / updating SQL from C# – Ehbit ninja's blog

Inserting / updating SQL from C#

Posted by - Ninja Mitch
On - 7 januari 2011

Creating an SQL string in C# is a poor way to do it. It might give problems with some special characters, even the data retrieved from SQL to C# might not be the exact same anymore.

You really want to bind your parameters. It prevents SQL attacks, and makes the query run faster.

Here’s a simple piece of code as an example:

   1:  // we'll assume there&#39;s a connection set up in the instance

2:

   3:  // pass a value

   4:  public void updateLog(string msg) {

   5:   // create your command, not the @msg where the parameter will go

   6:   SqlCommand cmd =

   7:                new SqlCommand(&quot;insert into log(msg) values (@msg)&quot;, this.conn);

8:

   9:   // bind the value to the parameter reference

  10:   cmd.Parameters.AddWithValue(&quot;@msg&quot;, msg);

11:

  12:   // fire

  13:   try {

  14:    cmd.Connection.Open();

  15:    cmd.ExecuteNonQuery();

  16:   } finally {

  17:    cmd.Connection.Close();

  18:   }

  19:  }

Related posts

Change SQL backup location

Change SQL backup location

SQL Server Compact 4.0 Tooling in Visual Studio 2010

SQL Server Compact 4.0 Tooling in Visual Studio 2010

Error: The self-extracting zip file is part of a multidisk zip file

Error: The self-extracting zip file is part of a multidisk zip file