Exception handling - Is there a better way?

Question

Hello guys/girls,

    public bool AddEntity(int parentId, string description)
    {
        try
        {
            _connection.Open();
            SqlCommand command = new SqlCommand("INSERT Structure (Path,Description) " +
                                                "VALUES(" + GetPath(parentId) + ".GetDescendant(" + GetLastChildPath(parentId, 1) + ", NULL), " +
                                                description + ")", _connection);

            if (command.ExecuteNonQuery() <= 0) _success = false;

            command.Connection.Close();

            if (_success)
            {
                return true;
            }

            throw new Exception("An error has occured whilst trying to add a entity");
        }
        catch (Exception ex)
        {
            AddError(new ErrorModel("An error has occured whilst trying to add a entity", ErrorHelper.ErrorTypes.Critical, ex));
            return false;
        }
    }

Is there a better way of handling the exceptions in the example above?

Thanks in advance for any help.

Clare

Answer 1

You can take advantage of the IDisposable interface, and the power of a using block.

using(var connection = new Connection()) // Not sure what _connection is, in this method, so making pseudo-code
{
  // ... work with connection
}

This will close the connection even if an exception is thrown. It turns into (more-or-less) this:

var connection = new Connection();

try
{
  // ... work with connection
}
finally
{
  connection.Dispose();
}

Dispose, in this case, will close the connection.

Answer 2

There's quite a few things wrong here.

a. You're using inline SQL and injecting what I can only assume to be user generated data into it. This is a security risk. Use a parameterised query.

b. You're exception handling is ok but this will leave the connection open if an error occurs. I'd write it like so:

 public bool AddEntity(int parentId, string description)
 {
    try
    {
        //Assuming you have a string field called connection string
        using(SqlConnection conn = new SqlConnection(_connectionString))
        {
            SqlParameter descriptionParam = new SqlParameter("@description", SqlDbType.VarChar, 11);
            descriptionParam.Value = description;

            SqlParameter parentIdParam = new SqlParameter("@parentId", SqlDbType.Int, 4);
            parentIdParam.Value = parentId;

            //Bit confused about the GetPath bit.
            SqlCommand command = new SqlCommand("INSERT Structure (Path,Description) " +
                                            "VALUES(" + GetPath(parentId) + ".GetDescendant(" + GetLastChildPath(parentId, 1) + ", NULL),@description)", conn);

            command.Parameters.Add(descriptionParam);

            if (command.ExecuteNonQuery() <= 0) _success = false;
        }

        if (_success)
        {
            return true;
        }

        //This isn't really an exception. You know an error has a occured handle it properly here.
        throw new Exception("An error has occured whilst trying to add a entity");
    }
    catch (Exception ex)
    {
        AddError(new ErrorModel("An error has occured whilst trying to add a entity", ErrorHelper.ErrorTypes.Critical, ex));
        return false;
    }