c# - Paramterized Queries -


i new visual c#, , confused on how write parameterized queries. here code without them, 

using system; using system.windows.forms; using system.data.sqlclient;  namespace insert_data {     public partial class form1 : form     {         private void button1_click(object sender, eventargs e)         {             sqlconnection con = new sqlconnection("data source=ztabassum\\sqlexpress01;initial catalog=introdatabase;integrated security=true");             con.open();             sqlcommand sc = new sqlcommand("insert employee values ('"+ textbox1.text +"' , " + textbox2.text + ", '" + textbox3.text + "',  " + textbox4.text + ", " + textbox5.text + ");", con);             int o = sc.executenonquery();             messagebox.show(o + ":record has been inserted");             con.close();         }     } }

i not sure on how write parameterized queries each of text boxes.

i added notes in code along best practices recap after.

// best practice - use meaningful method names private void buttonsaveemployee_click(object sender, eventargs e) {     // best practice - wrap database connections in using block closed & disposed in event of exception     // best practice - retrieve connection string name app.config or web.config (depending on application type) (note, requires assembly reference system.configuration)     using(sqlconnection con = new sqlconnection(system.configuration.configurationmanager.connectionstrings["myconnectionname"].connectionstring))     {         // best practice - use column names in insert statement not dependent on sql schema column order         // best practice - use parameters avoid sql injection attacks , errors if malformed text used including single quote sql equivalent of escaping or starting string (varchar/nvarchar)         // best practice - give parameters meaningful names variables in code         sqlcommand sc = new sqlcommand("insert employee (firstname, lastname, dateofbirth /*etc*/) values (@firstname, @lastname, @dateofbirth /*etc*/)", con);          // best practice - specify database data type of column using         // best practice - check valid values in code and/or use database constraint, if inserting null use system.dbnull.value         sc.parameters.add(new sqlparameter("@firstname", sqldbtype.varchar, 200){value = string.isnullorempty(textboxfirstname.text) ? (object) system.dbnull.value : (object) textboxfirstname.text});         sc.parameters.add(new sqlparameter("@lastname", sqldbtype.varchar, 200){value = string.isnullorempty(textboxlastname.text) ? (object) system.dbnull.value : (object) textboxlastname.text});          // best practice - use correct types when specifying parameters, in case string converted datetime type before being assigned sqlparameter.value         // note - not robust way parse date user never notified in event of failure, purpose here show how use parameters of various types         datetime dob;         sc.parameters.add(new sqlparameter("@dateofbirth", sqldbtype.date){value = datetime.tryparse(textboxdateofbirth.text, out dob) ? (object) dob : (object) system.dbnull.value});          // best practice - open connection late possible unless need verify database connection valid , wont fail , proceeding code execution takes long time (not case here)         con.open();         int o = sc.executenonquery();         messagebox.show(o + ":record has been inserted");          // end of using block close , dispose sqlconnection         // best practice - end using block possible release database connection     } }

best practice recap working ado.net

  • wrap database connections in using block closed & disposed in event of exception. see using statement (c# reference) more information on using statements
  • retrieve connection strings name app.config or web.config (depending on application type)
  • always use parameters incoming values
    • avoid sql injection attacks
    • avoid errors if malformed text used including single quote sql equivalent of escaping or starting string (varchar/nvarchar)
    • letting database provider reuse query plans (not supported database providers) increases efficiency
  • when working parameters
    • give sql parameters meaningful names variables in code
    • specify database data type of column using, ensures wrong parameter types not used lead unexpected results
    • validate incoming parameters before pass them command, there expression called garbage in garbage out. validate incoming values possible in stack
    • use correct types when assigning parameter values, example: not assign string value of datetime, instead assign actual datetime instance value of parameter
    • do not use method addwithvalue, main reason is easy forget specify parameter type or precision/scale when needed. additional information see can stop using addwithvalue already?
  • when using database connections
    • open connection late possible , close possible. general guideline when working external resource
    • never share database connections (example: having singleton host shared database connection). have code create new database connection instance when needed , have calling code dispose of , "throw away" when done. reason
      1. most database providers have sort of connection pooling cheap in managed code
      2. it eliminates future errors if code starts working multiple threads

Comments

Post a Comment

Popular posts from this blog

jOOQ update returning clause with Oracle -

according http://www.jooq.org/doc/3.8/manual/sql-building/sql-statements/update-statement/ jooq doesn't support returning clause in update statements databases except firebird , postgres. does know, still correct oracle jooq? according oracle's documentation, oracle db supports returning clase delete, insert, or update statements. incorrect manual you're right - manual wrong , should fixed: https://github.com/jooq/jooq/issues/5470 single row update returning jooq 3.8 added support single row update .. returning statements. internally, uses callablestatement , pl/sql block of form: begin update "my_table" set "my_table"."column" = 'xyz' "my_table"."id" = 1 returning "my_table"."id", "my_table"."column" ?, ?; ? := sql%rowcount; end; the relevant issue is: https://github.com/jooq/jooq/issues/5190 multi row update returning a...
Read more

java - Warning equals/hashCode on @Data annotation lombok with inheritance -

i have entity inherits other. on other hand, i'm using lombok project reduce boilerplate code, put @data annotation. annotation @data inheritance produces next warning: generating equals/hashcode implementation without call superclass, though class not extend java.lang.object. if intentional, add '@equalsandhashcode(callsuper=false)' type. is advisable add annotation @equalsandhashcode (callsuper = true) or @equalsandhashcode (callsuper = false) ? if not added, 1 callsuper=false or callsuper=true ? the default value false . 1 if don't specify , ignore warning. yes, recommended add @equalsandhashcode annotation on @data annotated classes extend else object. cannot tell if need true or false , depends on class hierarchy, , need examined on case-by-case basis. however, project or package, can configure in lombok.config call super methods if not direct subclass of object. lombok.equalsandhashcode.callsuper = call for configuration system ...
Read more

java - BasicPathUsageException: Cannot join to attribute of basic type -

i using java 8 jpa (hibernate 5.2.1). have clause works perfectly, until introduce clause make use foreign key table values too. i getting following error: basicpathusageexception: cannot join attribute of basic type i think problem related fact have join table, , not sure how create join using join table. employee - employee_category - category model (employee.java): @manytomany(cascade = cascadetype.all, fetch=fetchtype.eager) @jointable ( name="employee_category", joincolumns={ @joincolumn(name="emp_id", referencedcolumnname="id") }, inversejoincolumns={ @joincolumn(name="cat_id", referencedcolumnname="id") } ) private set<category> categories; model (category.java): @id private string id; jpa when introduce following code, fails error above (i think problem new piece of code): join<t, category> category = from.join("id"); predicates.add(criteriabuilder.like(category....
Read more