Executing query with parameters

by

You could open yourself up to SQL injection attacks here, so best practice is to use parameters:

using (SqlConnection dbConn = new SqlConnection(connectionString))
{
    dbConn.Open();

    using (SqlTransaction dbTrans = dbConn.BeginTransaction())
    {
        try
        {
            using (SqlCommand dbCommand = new SqlCommand("insert into [DB].[dbo].[User] ( [Id], [AccountId], [FirstName], [LastName], [JobTitle], [PhoneNumber] ) values ( @id, @accountid, @firstname, @lastname, @jobtitle, @phonenumber );", dbConn))
            {
                dbCommand.Transaction = dbTrans;

                dbCommand.Parameters.Add("id", SqlType.VarChar).Value = id;
                dbCommand.Parameters.Add("accountid", SqlType.VarChar).Value = accountId;
                dbCommand.Parameters.Add("firstname", SqlType.VarChar).Value = firstName;
                dbCommand.Parameters.Add("lastname", SqlType.VarChar).Value = lastName;
                dbCommand.Parameters.Add("jobtitle", SqlType.VarChar).Value = jobTitle;
                dbCommand.Parameters.Add("phonenumber", SqlType.VarChar).Value = phoneNumber;

                dbCommand.ExecuteNonQuery();
            }

            dbTrans.Commit();
        }
        catch (SqlException)
        {
            dbTrans.Rollback();

            throw; // bubble up the exception and preserve the stack trace
        }
    }

    dbConn.Close();
}

This is a good article for beginners with ADO.Net

EDIT – Just as a bit of extra info, I’ve added a transaction to it so if the SQL command fails it will rollback.

More Related Contents:

  1. How do parameterized queries help against SQL injection?
  2. What is the syntax for an inner join in LINQ to SQL?
  3. Read SQL Table into C# DataTable
  4. Is it necessary to manually close and dispose of SqlDataReader?
  5. DropdownList DataSource
  6. Code to validate SQL Scripts
  7. Does using parameterized SqlCommand make my program immune to SQL injection?
  8. C# Version Of SQL LIKE
  9. Use linq to generate direct update without select
  10. SqlConnection.Close() inside using statement
  11. Retrieve an object from entityframework without ONE field
  12. Join and Include in Entity Framework
  13. Why is a SQL float different from a C# float
  14. Table name and table field on SqlParameter C#?
  15. Get affected rows on ExecuteNonQuery
  16. Sql Bulk Copy/Insert in C#
  17. Check if a SQL table exists
  18. Issues Doing a String Comparison in LINQ
  19. Passing datatable to a stored procedure
  20. Use SQL Server time datatype in C#.NET application?
  21. Generating sql code programmatically
  22. Do we have transactions in MS-Access?
  23. Is SqlConnection.Close() need inside a Using statement?
  24. How to enable assembly bind failure logging (Fusion) in .NET
  25. How to use the ternary operator inside an interpolated string?
  26. ReadOnlyCollection or IEnumerable for exposing member collections?
  27. Static Generic Class as Dictionary
  28. Extension methods syntax vs query syntax
  29. .NET FileInfo.LastWriteTime & FileInfo.LastAccessTime are wrong
  30. Reverse a string with accent chars?

Leave a Comment