In the examples shown so far, the SQL command text and the data values have been embedded in a single string. This approach is easy, and convenient for writing data access code. However, it also has significant drawbacks that make it unsuitable for a production-level application. These include inflexibility, poor performance, and potential security problems when using user-supplied values.
To overcome these problems, you need to use another feature of the Command object: parameters. Command parameters are conceptually the same as method parameters in an ordinary piece of .NET code. The most common type of parameter is an input parameter, which carries information from your application to the data source. You can use an input parameter when calling a stored procedure or when coding a parameterized query. In addition, you can use output parameters, which return information from the data source to your code, or bidirectional parameters, which transmit values in both directions. Output and bidirectional parameters are used only when you are making stored procedure calls.
Every Command object has an associated collection of Parameter objects (referenced by its Parameters property). The Parameter object is a provider-specific object, which means a SqlCommand uses a SqlParameter, an OleDbCommand uses an OleDbParameter, and so on.
In order to create a Parameter object, you must specify a parameter name, and the exact data type for the information it will contain. For the managed OLE DB provider, you specify data types using the System.Data.OleDb.OleDbType enumeration. For the SQL Server data provider, you use the System.Data.SqlDbType enumeration. If the data type is a variable-length field such as a string or binary field, you also need to indicate the field length.
For example, the following code snippet shows how to create a SqlParameter object named @MyParam with a SQL Server integer type. Note that the name is preceded with an @ symbol; this is a convention of stored procedure programming with SQL Server, but it is by no means a necessity in your code.
SqlParameter param = new SqlParameter("@MyParam", SqlDbType.Int);
To use a variable-length data type, you need to use a different constructor that accepts a field length, as shown here:
SqlParameter param = new SqlParameter("@MyParam", SqlDbType.NVarChar, 15);
Once you've created a Parameter, you will probably want to assign a value and add it to an existing Command:
SqlCommand cmd = new SqlCommand(commandText, con); SqlParameter param = new SqlParameter("@Description", SqlDbType.VarChar, 88, "Description"); param.Value = "This is the description"; cmd.Add(param);
Alternatively, you can create the Parameter and add it to the Command in one step using an overloaded version of the Add( ) method. This method returns a reference to the newly created Parameter object, allowing you to quickly set a value.
SqlCommand cmd = new SqlCommand(commandText, con); SqlParameter param = cmd.Add("@Description", SqlDbType.VarChar, 88, "Description"); param.Value = "This is the description";
By default, when you create a parameter, it is configured as an input parameter, meaning that the Parameter.Direction property is set to ParameterDirection.Input.
You can retrieve parameters from the Parameters collection by index number or by the assigned parameter name:
// Select the first parameter. param = cmd.Parameters; // Select the parameter with the name "@Description". param = cmd.Parameters["@Description"];
Now that you can create and configure Parameter objects, it's time to consider how to use them to build a parameterized command.