tags:

views:

268

answers:

4
+2  Q: 

Using a variable in a query

I am trying to set up a query for my dataset in C# using a variable for the filter. For example I am trying to only display a specific account number and his balance, with a local variable being the account number used as a filter for that exact one. Am I going about this the wrong way?

I am in no stretch of the imagination a real programmer, I am in a bind and have skimmed along using a guide to programming in C# and the limited brain power I have (which is now running on empty) :)

I also would like to alter the database information using a button with an eventhandler to add specific amounts a cell that was queried. Am I doomed for my lack of knowledge on hard coding or can I actually pull this off?

Sincerely, noobish engineer trying to program... or Jev

A: 

You could just use the variable to generate your SQL-Query dynamically, but beware of SQL-Injection - be really sure, that your variable may not contain SQL-Statements.

You could use a function, that builds and returns your SQL-Query like this, with the variable for the filter as parameter:

internal string BuildSQLQueryForAccount(int account)
{
    StringBuilder sb = new StringBuilder();
    sb.Append("SELECT * ");
    sb.Append("FROM Accounts ");
    sb.AppendFormat("WHERE AccountNumber = {0}", account);
    return sb.ToString();
}
BeowulfOF  2009-01-15 08:44:36
Bad idea, simply on principle. Why take the risk of the code being copied and used for a string parameter, leading to SQL injection? Parameterised SQL isn't hard, and it's worth using it ubiquitously (except for the *very* few places where you can't, such as parameterising the table names).
Jon Skeet  2009-01-15 08:55:30
Well, I added the hint for SQL-Injection, so why the downvote?
BeowulfOF  2009-01-15 09:51:00
Because it's giving a bad example which can easily be copy-pasted when SQL parameterisation is a much, much better solution.
Jon Skeet  2009-01-15 11:53:16
+3  A: 

When you setup your dataset query you can do something like this;

SELECT Name FROM TableNames WHERE Name = @Variable

Have a look at this link for more info

It might be worth having a look into SQL injection attack too, click here

Dominic  2009-01-15 08:48:41
+2  A:  
SqlCommand cmd = new sqlCommand("select * from table1 where column1 = @value", connection);
cmd.parameters.add(new SqlParameters("@value", "yourvalue"));
SqlDataReader dr = cmd.ExecuteReader();
while (dr.read())
{

   //code here!

}

I Hope this will be usefull!

Bigballs  2009-01-16 15:24:31
You might want to edit your answer to format the code portion as code so that it is easier to read.
Andy  2009-01-16 15:33:43
A: 

Once upon a time, I've written a little article on why you should definitely use parameters in SQL statements. (I've written it in response to the fact that I saw way to many people using string concat enation to write their queries).

You can find it here: http://fgheysels.blogspot.com/2005/12/avoiding-sql-injection-and-date.html

Frederik Gheysels  2009-01-16 15:32:32

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?