DataReader with parametrs;

Question

Hello, Everyone! I am currently struggling with MySQL database with DataSet. The thing is that it uses loads of memory(as I found somewhere over the net it uses almost 4x memory rather than when you are using DataReader). What I was thinking is to make a function that will use DataReader for the SQL SELECT command.

What I am currently thinking of is(example):

  public void GetData(string name,string surname, string company)
    {
        string selectCommand="";
        selectCommand += "SELECT * FROM thetable ";
        if (txtName.Text!="" || txtSurname.Text!="" || txtCompany.Text!="")
            selectCommand += "WHERE ";

        if (txtName.Text!="")
            selectCommand += "name=" + txtName.Text+ " ";

        if (txtSurname.Text!="")
            selectCommand += "surname=" + txtSurname.Text + " ";

        if (txtCompany)
            selectCommand += "company=" + txtCompany.Text + " ";



        MySqlDataAdapter dataAdapter = new MySqlDataAdapter(selectCommand+";",conn);
      ///etc...
    }

But I feel that it's a wrong way. First of all I am not using parametrs. The second thing is that it looks kinda dirty. Can anyone please suggest something.

Answer 1

This is of course a SQL injection attack waiting to happen.....

Answer 2

I would break this up and call separate functions depending upon what filter you want to apply:

public void GetData(string name, string surname, string company)
{
    DbDataCommand command;

    if (name=!"" && surname!="" && company!="")
    {
        command = GetDataFilteredByFirstNameSurnameCompany(name, surname, company);
    }

    if (name=!"" && surname!="")
    {
        command = GetDataFilteredByFirstNameSurname(name, surname);
    }

    ...

    DbDataReader reader = command.ExecuteReader();

    ...
 }

Each Filter function would then contain simple code to generate command objects:

private DbCommand GetDataCommandFilteredByFirstNameSurnameCompany(string name,string surname, string company)
{
  DbCommand command = conn.CreateCommand();

  command.CommandText = @"
      SELECT    *
      FROM      some_table
      WHERE     name = @name AND
                surname = @surname AND
                company = @company";

   DbParameter parameter = command.CreateParameter();

   parameter.Name = "name";
   parameter.Value = name;

   command.Parameters.Add(parameter);

   parameter = command.CreateParameter();

   parameter.Name = "surname";
   parameter.Value = surname;

   command.Parameters.Add(parameter);

   parameter = command.CreateParameter();

   parameter.Name = "company";
   parameter.Value = company;

   command.Parameters.Add(parameter);

   return command;
}