ansaurus

Question

Answer 1

A:

Use .AddWithValue(), So:

sqlComm.Parameters.AddWithValue("@Age", sb.ToString().TrimEnd(','));

Alternatively, you could use this:

sqlComm.Parameters.Add(
    new SqlParameter("@Age", sb.ToString().TrimEnd(',')) { SqlDbType = SqlDbType. NVarChar }
    );

Your total code sample will look at follows then:

string sqlCommand = "SELECT * from TableA WHERE Age IN (@Age)";
SqlConnection sqlCon = new SqlConnection(connectString);
SqlCommand sqlComm = new SqlCommand();
sqlComm.Connection = sqlCon;
sqlComm.CommandType = System.Data.CommandType.Text;
sqlComm.CommandText = sqlCommand;
sqlComm.CommandTimeout = 300;

StringBuilder sb = new StringBuilder();
foreach (ListItem item in ddlAge.Items)
{
     if (item.Selected)
     {
         sb.Append(item.Text + ",");
     }
}

sqlComm.Parameters.AddWithValue("@Age", sb.ToString().TrimEnd(','));

// OR

// sqlComm.Parameters.Add(new SqlParameter("@Age", sb.ToString().TrimEnd(',')) { SqlDbType = SqlDbType. NVarChar });

Kyle Rozendo 2010-03-04 07:32:35

I have tried this one, does not work.

Yongwei Xing 2010-03-04 07:39:00

The Age field's type is nvchar not int. Does it matter?

Yongwei Xing 2010-03-04 07:45:49

It shouldn't. Especially with the second method. You specify the type explicitly.

Kyle Rozendo 2010-03-04 07:54:09

I use both method, it still doesn't work. I do not want to manipulate the string which may led security problem

Yongwei Xing 2010-03-04 08:00:22

I'm not really understanding you. When you say it doesn't work, does it throw an exception? What does it do?

Kyle Rozendo 2010-03-04 08:01:54

it does not throw exception, it return nothing. But I run the T-SQL in Studio Management, it returns many result.

Yongwei Xing 2010-03-04 08:05:02

Answer 2

A:

try it like this

StringBuilder sb = new StringBuilder(); 
foreach (ListItem item in ddlAge.Items) 
{ 
     if (item.Selected) 
     { 
          string sqlCommand = "SELECT * from TableA WHERE Age IN (@Age)"; 
          SqlConnection sqlCon = new SqlConnection(connectString); 
          SqlCommand sqlComm = new SqlCommand(); 
          sqlComm.Connection = sqlCon; 
          sqlComm.CommandType = System.Data.CommandType.Text; 
          sqlComm.CommandText = sqlCommand; 
          sqlComm.CommandTimeout = 300; 
          sqlComm.Parameters.Add("@Age", SqlDbType.NVarChar);
          sb.Append(item.Text + ","); 
          sqlComm.Parameters["@Age"].Value = sb.ToString().TrimEnd(',');
     } 
}

Ballin 2010-03-04 07:36:40

Why put the SqlConnection and SqlCommnad in the loop?

Yongwei Xing 2010-03-04 07:40:12

Answer 3

A:

sorry how do you add code?

    StringBuilder sb = new StringBuilder(); foreach (ListItem item in ddlAge.Items) 
{ 
if (item.Selected) 
{ 
string sqlCommand = "SELECT * from TableA WHERE Age IN (@Age)";
 SqlConnection sqlCon = new SqlConnection(connectString); 
SqlCommand sqlComm = new SqlCommand(); 
sqlComm.Connection = sqlCon; sqlComm.CommandType = System.Data.CommandType.Text; sqlComm.CommandText = sqlCommand; 
sqlComm.CommandTimeout = 300; 
sqlComm.Parameters.Add("@Age", SqlDbType.NVarChar); 
sb.Append(item.Text + ","); sqlComm.Parameters["@Age"].Value = sb.ToString().TrimEnd(','); 
} 
}

Ballin 2010-03-04 07:40:35

it does not work also

Yongwei Xing 2010-03-04 07:49:43

Answer 4

+1 A:

You will need to add the values in the array one at a time.

var parameters = new string[items.Length];
var cmd = new SqlCommand();
for (int i = 0; i < items.Length; i++)
{
    parameters[i] = string.Format("@Age{0}", i);
    cmd.Parameters.AddWithValue(parameters[i], items[i]);
}

cmd.CommandText = string.Format("SELECT * from TableA WHERE Age IN ({0})", string.Join(", ", parameters));
cmd.Connection = new SqlConnection(connStr);

Brian 2010-03-04 07:59:18

Does this method have the security issue, like sql injection?

Yongwei Xing 2010-03-04 08:02:44

Because you are putting the values into parameters there is no risk of sql injection.

Brian 2010-03-04 17:29:21

Answer 5

A:

i see, you want to pass make the parameter = to the whole string from the stringbuilder

Ballin 2010-03-04 08:12:54

Answer 6

A:

try

sqlComm.Parameters["@Age"].Value = sb.ToString().Replace(","," ");

Ballin 2010-03-04 08:21:39

Answer 7

A:

I know this has nothing to do with the question but seriously look into an orm solution like Nhibernate, Linq to SQL, LLBLGen Pro or entity framework.

It will make your life much simpler and more productive.

Just my two cents.

SetiSeeker 2010-03-04 08:30:52

Do you mean that I can not solve this problem if I just use this method?

Yongwei Xing 2010-03-04 08:58:56

if you use an ORM tool the sql heavy lifting like you did above is no longer needed. your specific issue seems to have been answered with the other post. my post was merely suggesting alternative aproaches to data access.

SetiSeeker 2010-03-04 09:45:08

ansaurus

tags:

views:

answers:

Pass Array Parameter in SqlCommand

related questions