I'm trying to do a basic insert statement using a parameterized query. My problem is whatever the syntax I'm using it seems like the query is being done with all parameters set to null instead of their appropriate values (unless I hard-code the value in the command text).
Here is the code :
m_Command.CommandText = "INSERT INTO " + s_TracesTabelName + " (DateTimeTraceCreated,
Span, CenterFrequency, Data, DateTimeTestStarted) VALUES (#traceTime, #Span,
#CenterFrequency, #Data, #testTime)";
//just trying another syntax
MySqlParameter param = m_Command.CreateParameter();
param.MySqlDbType = MySqlDbType.Datetime;
param.ParameterName = "#traceTime";
param.Value = trace.TimeCreated;
m_Command.Parameters.Add(param);
//m_Command.Parameters.Add("#traceTime",MySqlDbType.Datetime,8,"DateTimeTraceCreated");
//m_Command.Parameters["#traceTime"].Value = trace.TimeCreated;
m_Command.Parameters.Add("#Span", trace.Span);
m_Command.Parameters.Add("#CenterFrequency", trace.CenterFrequency);
m_Command.Parameters.Add("#Data", data);
m_Command.Parameters.Add("#testTime", testStarted);
try
{
m_Connection.Open();
m_Command.ExecuteNonQuery();
}
catch(Exception e)
{
Console.WriteLine("Error Connecting to Database\n");
//errorlog
}
finally
{
m_Connection.Close();
}
The three different syntaxes lead me to null parameters' value.
ps : I've seen many people using command.Parameters.AddWithValue() method, but I seem to just don't have it.
Kind regards,
Ben
Could be your version of mysql ADO provider?
C# MySqlParameter problem
Try with ? instead of #
Related
I'm trying to build a dynamic sql query to update a table in SQL Server, like this:
string alan = "SaticiKodu";
DynamicParameters paramStSabit = new DynamicParameters();
string sqlSabit = "UPTADE TBLSTSABIT SET ";
if (alan == "SaticiKodu")
{
sqlSabit += " SATICI_KODU = #SaticiKodu ,";
paramStSabit.Add("SaticiKodu", _msk.SaticiKodu);//_msk.SaticiKodu comes from List<T> in foreach loop
}
if (sqlSabit.Contains("=")) // here I check if I have any column update with '='
{
sqlSabit += "WHERE STOK_KODU = #StokKodu";
paramStSabit.Add("StokKodu", _msk.StokKodu);
sqlSabit= sqlSabit.Replace(",WHERE", " WHERE");
db.Execute(sqlSabit, paramStSabit, transaction: _transaction, commandType: CommandType.Text);
}
I have a list of objects, it has lots of properties but to make example short, here I write only StokKodu and StokAdi. This code throws an error
Incorrect syntax at '='
I think this code should work with Dapper.
How can I make this code work, where is my mistake? Thanks for the help from now.
All i do is changing
string sqlSabit
to
StringBuilder sqlSabit
and instead of join strings with +=, i used sqlSabit.Append(), now code is working. And i tested with string, integer and float typed columns/parameters, no problem.
But couldn't understand why StringBuilder solves the problem.
I need to perform an update to a View that has multiple underlying tables using the ExecuteCommand method of a DataContext. I am using this method because of the known restriction of linqToSQL when performing this type of operation on Views having multiple underlying tables.
My existing SQL statement is similar to the following where I am setting newFieldID to a null value simply for this post to illustrate the issue. In the application, newFieldID is assigned a passed parameter and could actually be an integer value; but my question is specific to the case where the value being provided is a null type:
using (var _ctx = new MyDataContext())
{
int? newFieldID = null;
var updateCmd = "UPDATE [SomeTable] SET fieldID = " + newFieldID + "
WHERE keyID = " + someKeyID;
try
{
_ctx.ExecuteCommand(updateCmd);
_ctx.SubmitChanges();
}
catch (Exception exc)
{
// Handle the error...
}
}
This code will fail for the obvious reason that the updateCmd won't be completed in the case of a null value for the newFieldID. So how can I replace or translate the CLR null value with an SQL null to complete the statement?
I know I could move all of this to a Stored Procedure but I am looking for an answer to the existing scenario. I've tried experimenting with DBNull.Value but aside from the challenge of substituting it for the newFieldID to use in the statement, simply placing it into the string breaks the validity of the statement.
Also, enclosing it within a single quotes:
var updateCmd = "UPDATE [SomeTable] SET fieldID = '" + DBNull.Value + "'
WHERE keyID = " + someKeyID;
Will complete the statement but the value of the field is translated to an integer 0 instead of an SQL null.
So How does one go about converting a CLR null or nullable int to an SQL Null value given this situation?
Correct way to do it: use override of ExecuteCommand accepting not only command text, but also array of parameters and use parameterized query instead of command string concatenation:
var updateCmd = "UPDATE [SomeTable] SET fieldID = {0} WHERE keyID = {1}";
_ctx.ExecuteCommand(updateCmd, new [] {newFieldID, someKeyID});
It will not only prevent you from sql injection, but also it will do following for you (from MSDN description):
If any one of the parameters is null, it is converted to DBNull.Value.
Try checking newFieldID == null and change the statement accordingly.
Something like below or using separate if / else statement.
var updateCmd = "UPDATE [SomeTable] SET fieldID =" + (newFieldID == null ? "null" : Convert.ToString(newFieldID)) + " WHERE keyID = " + someKeyID;
Normally, when using Stored Procedures or Prepared Statements, you use Parameters to assign values. When you have a DbParameter, you can assign null or DBNull.Value to the Value-Property or your parameter.
If you want to have the null as text in the statement, simply use the SQL-keyword NULL
var updateCmd = "UPDATE [SomeTable] SET fieldID = NULL WHERE keyID = " + someKeyID;
As pointed out by Andy Korneyev and others, a parameterized array approach is the best and probably the more appropriate method when using Prepared statements. Since I am using LinqToSQL, the ExecuteCommand method with the second argument which takes an array of parameters would be advised but it has the following caveats to its usage.
A query parameter cannot be of type System.Nullable`1[System.Int32][] (The main issue I'm trying to resolve in this case)
All parameters must be of the same type
Shankar's answer works although it can quickly become very verbose as the number of parameters could potentially increase.
So my workaround for the problem involve somewhat of a hybrid between the use of parameters as recommended by Andy and Shankar's suggestion by creating a helper method to handle the null values which would take an SQL statement with parameter mappings and the actual parameters.
My helper method is:
private static string PrepareExecuteCommand (string sqlParameterizedCommand, object [] parameterArray)
{
int arrayIndex = 0;
foreach (var obj in parameterArray)
{
if (obj == null || Convert.IsDBNull(obj))
{
sqlParameterizedCommand = sqlParameterizedCommand.Replace("{" + arrayIndex + "}", "NULL");
}
else
sqlParameterizedCommand = sqlParameterizedCommand.Replace("{" + arrayIndex + "}", obj.ToString());
++arrayIndex;
}
return sqlParameterizedCommand;
}
So I can now execute my statement with parameters having potential null values like this:
int? newFieldID = null;
int someKeyID = 12;
var paramCmd = "UPDATE [SomeTable] SET fieldID = {0} WHERE keyID = {1}";
var newCmd = PrepareExecuteCommand(paramCmd, new object[] { newFieldID });
_ctx.ExecuteCommand(newCmd);
_ctx.SubmitChanges();
This alleviates the two previously referenced limitations of the ExecuteCommand with a parameter array. Null values get translated appropriately and the object array may varied .NET types.
I am marking Shankar's proposal as the answer since it sparked this idea but posting my solution because I think it adds a bit more flexibility.
I have the following code in c# for sql insert:
using (DM dbManager = new DM())
{
dbManager.Command.CommandText = #"Insert into TransactionLog(TransactionNumber,Amount
,studentID) Values (#trnumber,#amount,#studentID) ; SELECT SCOPE_IDENTITY() ;";
dbManager.Command.Parameters.AddWithValue("#trnumber", txnref);
dbManager.Command.Parameters.AddWithValue("#amount", amount);
dbManager.Command.Parameters.AddWithValue("#studentID",
Membership.GetUser().ProviderUserKey.ToString());
id = Convert.ToInt32(dbManager.Command.ExecuteScalar());
}
But failing to understand why am i getting this error:
System.Data.SqlClient.SqlException: The parameterized query '(#trnumber
nvarchar(4000),#amount nvarchar(5),#studentID nvarcha' expects the
parameter '#trnumber', which was not supplied.
Because the parameter is clearly in the query i tried changing the name of parameter same issue.
Any suggestions?
if (String.IsNullOrEmpty(txnref))
{
command.Parameters.AddWithValue("#trnumber", DBNull.Value);
}
else
command.Parameters.AddWithValue("#trnumber", txnref);
Try to put DBNull.Value if value is empty it will work! Also check your column accepts NULL
When I execute the following query in SSMS I get the expected result i.e. '1'
SELECT TSID
FROM tblTimesheets
WHERE TSUser = 'PJW' AND TSDate = '2012-01-18';
However, when the SqlCommand is produced by the code in my application the ExecuteScalar fails (it simply causes the method to exit with no error message).
public int GetID(string paramUser, DateTime paramDate)
{
string strSql = "SELECT TSID " +
"FROM tblTimesheets " +
"WHERE TSUser = #TSUser AND TSDate = #TSDate;";
string strConnection = BuildConnectionString();
SqlConnection linkToDB = new SqlConnection(strConnection);
linkToDB.Open();
SqlCommand sqlCom = new SqlCommand(strSql, linkToDB);
sqlCom.Parameters.Add("#TSUser", SqlDbType.Text);
sqlCom.Parameters.Add("#TSDate", SqlDbType.Date);
sqlCom.Parameters["#TSUser"].Value = paramUser;
sqlCom.Parameters["#TSDate"].Value = paramDate;
int intResult = (Int32)sqlCom.ExecuteScalar();
linkToDB.Close();
return intResult;
}
I've stepped through the code and can confirm the parameters are PJW and 2012-01-18 as required, but the ExecuteScalar returns any data, which I know should be there based on my comparable query in SSMS.
Please assist.
Instead of SqlDbType.Text try any of the following, depending on the type of the column:
SqlDbType.VarChar
SqlDbType.NVarChar
SqlDbType.NText
SqlDbType.NChar
SqlDbType.Char
When the parameter is of DB type date, it is a good practice to defensively strip the time part on setting the parameter, like this:
sqlCom.Parameters.Add("#TSDate", SqlDbType.Date);
sqlCom.Parameters["#TSDate"].Value = paramDate.Date;
Please let me know if this does not help, and I'll remove my answer.
You say the ExecuteScalar fails with no error message. Wrap your code in a try-catch block to make sure any exceptions that ExecuteScalar() might be throwing are caught.
Other than that try and do as others have suggested and view the SQL produced using SQL Profiler, then run that SQL in SSMS to compare results.
SELECT TSID
FROM tblTimesheets
WHERE TSUser = 'PJW' AND TSDate = '2012-01-18';
Here U r passing the exact date as parameter
Where as while passing the parameter in to the stored procedure you are passing
"DateTime paramDate"
A date time variable
May be you need to parse to exact date format as supported by the stored procedure
i.e you need to format the paramDate variable to 'YYYY-mm-DD'
I am not sure.. Try it.. and reply if it helps or not !
I want to update a row by code in my form. Maybe some columns are null. So while command is
executing, an error will rise and say Incorrect syntax near the keyword 'where':
SqlCommand Update = new SqlCommand("Update Table_065_Turn SET Column02=" + Row["Column48"] + " , Column15= " + Row["Column15"].ToString() +
" where ColumnId=" + StatusTable.Rows[0]["ColumnId"], Con);
Update.ExecuteNonQuery();
I know this error will be displayed because Row["Column15"] is null.
How can I check if the column in datarow is null; of course without any extra variable or commands before Update command.
I mean check columns exactly in update command.
I would recommend using SqlParameters, also SqlCommand implements IDisposable so you should wrap it up in a using statement e.g.
using (SqlCommand update = new SqlCommand("Update Table_065_Turn SET Column02=#Col2, Column15=#Col15 where ColumnId=#ColId", con))
{
update.Parameters.AddWithValue("#Col2", Row["Column48"]);
update.Parameters.AddWithValue("#Col15", Row["Column15"]);
update.Parameters.AddWithValue("#ColId", StatusTable.Rows[0]["ColumnId"]);
update.ExecuteNonQuery();
}
Also you might be better actually validating the fields before you execute the query unless null is a valid column value.
I suspect you have to "replace" .net null with database keyword NULL, e.g.
string sql = "Column15 = " + (row[15] == null ? "NULL" : row[15].ToString()) in your case, but the much better way is to use Parameters as written by James, also keep in mind someone could provide hamful strings to your query:
row[15] = ";DROP DATABASE; --" would be enough in your case to cause all your data to be lost ;) (see "SQL injection" on your favorite search engine
you could use
var value = "" + Row["columnname"] ;
so ,you do not need to check the object is null
it is safe..
You could do like this:
string filterString;
if (StatusTable.Rows[0]["ColumnId"]!=System.DBNull.Value)
filterString= #" WHERE ColumnID= StatusTable.Rows[0]["ColumnId"]";//I assume the value returned is a string
else
filterString="";
And then you can just append the filterString variable to your SQLCommand string.