Alerts

Free Alerts

Your email will always be
private and will not be shared.

<< TextBox Validation using JavaScript | Send SMTP Email using SQL Server >>

ASP/ASP.Net

Parameterized Queries ADO.Net

Author:Mudassar Khan

Parameterized Queries

Parameterized Queries are those in which values are passed using SQL Parameters.

Benefits

The prime benefit of parameterized Queries is to protect the database from SQL Injection.

Connection String

Set the connection string in Web.Config

<add name="conString"

connectionString="Data Source=.\SQLEXPRESS;database=Northwind;

AttachDbFileName=|DataDirectory|\NORTHWND.MDF;Integrated Security=true"/>

</connectionStrings>

Namespaces

You will need to import the following two namespaces

using System.Data;

using System.Data.SqlClient;

Imports System.Data

Imports System.Data.SqlClient

Select Queries

The following function will be used to execute the select queries.

private DataTable GetData(SqlCommand cmd)

{

DataTable dt = new DataTable ();

String strConnString = System.Configuration.ConfigurationManager.ConnectionStrings["conString"].

ConnectionString;

SqlConnection con = new SqlConnection(strConnString);

SqlDataAdapter sda = new SqlDataAdapter();

cmd.CommandType = CommandType.Text;

cmd.Connection = con;

try

{

con.Open();

sda.SelectCommand = cmd;

sda.Fill(dt);

return dt;

}

catch (Exception ex)

{

Response.Write(ex.Message);

return null;

}

finally

{

con.Close();

sda.Dispose();

con.Dispose();

}

VB.Net

Public Function GetData(ByVal cmd As SqlCommand) As DataTable

Dim dt As New DataTable

Dim strConnString As String = System.Configuration.ConfigurationManager.ConnectionStrings("conString").

ConnectionString

Dim con As New SqlConnection(strConnString)

Dim sda As New SqlDataAdapter

cmd.CommandType = CommandType.Text

cmd.Connection = con

Try

con.Open()

sda.SelectCommand = cmd

sda.Fill(dt)

Return dt

Catch ex As Exception

Response.Write(ex.Message)

Return Nothing

Finally

con.Close()

sda.Dispose()

con.Dispose()

End Try

End Function

The function executes the SQL Query and then returns the DataTable.

Execute a Simple Select Query

string strQuery = "select * from customers";

SqlCommand cmd = new SqlCommand(strQuery);

DataTable dt = GetData(cmd);

GridView1.DataSource = dt;

GridView1.DataBind();

VB.Net

Dim strQuery As String = "select * from customers"

Dim cmd As New SqlCommand(strQuery)

Dim dt As DataTable = GetData(cmd)

GridView1.DataSource = dt

GridView1.DataBind()

The above code executes the Query and binds the result to the GridView.

Execute SQL Query with Filter Condition

string strQuery = "select * from customers where city = @city";

SqlCommand cmd = new SqlCommand(strQuery);

cmd.Parameters.AddWithValue("@city", txtCity.Text.Trim());

DataTable dt = GetData(cmd);

GridView1.DataSource = dt;

GridView1.DataBind();

VB.Net

Dim strQuery As String = "select * from customers where city = @city"

Dim cmd As New SqlCommand(strQuery)

cmd.Parameters.AddWithValue("@city", txtCity.Text.Trim)

Dim dt As DataTable = GetData(cmd)

GridView1.DataSource = dt

The above query executes the SQL Query that filters the record based on City.

You will notice that the @city which is the parameter for the query.

cmd.Parameters.AddWithValue("@city", txtCity.Text.Trim())

The statement assigns the value of textbox txtCity to the parameter @City

Insert - Update Queries

The following functions will be used to execute Insert and Update Queries.

private Boolean InsertUpdateData(SqlCommand cmd)

{

String strConnString = System.Configuration.ConfigurationManager.ConnectionStrings["conString"].

ConnectionString;

SqlConnection con = new SqlConnection(strConnString);

cmd.CommandType = CommandType.Text;

cmd.Connection = con;

try

{

con.Open();

cmd.ExecuteNonQuery();

return true;

}

catch (Exception ex)

{

Response.Write(ex.Message);

return false;

}

finally

{

con.Close();

con.Dispose();

}

VB.Net

Public Function InsertUpdateData(ByVal cmd As SqlCommand) As Boolean

Dim strConnString As String = System.Configuration.ConfigurationManager.ConnectionStrings("conString").

ConnectionString

Dim con As New SqlConnection(strConnString)

cmd.CommandType = CommandType.Text

cmd.Connection = con

Try

con.Open()

cmd.ExecuteNonQuery()

Return True

Catch ex As Exception

Response.Write(ex.Message)

Return False

Finally

con.Close()

con.Dispose()

End Try

End Function

Execute Insert Queries

string strQuery;

SqlCommand cmd;

strQuery = "insert into customers (CustomerID, CompanyName) values(@CustomerID, @CompanyName)";

cmd = new SqlCommand(strQuery);

cmd.Parameters.AddWithValue("@CustomerID", "A234");

cmd.Parameters.AddWithValue("@CompanyName", "DCB");

InsertUpdateData(cmd);

VB.Net

Dim strQuery As String

Dim cmd As SqlCommand

strQuery = "insert into customers (CustomerID, CompanyName) values(@CustomerID, @CompanyName)"

cmd = New SqlCommand(strQuery)

cmd.Parameters.AddWithValue("@CustomerID", "AZNL")

cmd.Parameters.AddWithValue("@CompanyName", "ABC")

InsertUpdateData(cmd)

Executing Update Queries

string strQuery;

SqlCommand cmd;

strQuery = "update customers set CompanyName=@CompanyName where CustomerID=@CustomerID";

cmd = new SqlCommand(strQuery);

cmd.Parameters.AddWithValue("@CustomerID", "A234");

cmd.Parameters.AddWithValue("@CompanyName", "BCD");

InsertUpdateData(cmd);

VB.Net

Dim strQuery As String

Dim cmd As SqlCommand

strQuery = "update customers set CompanyName=@CompanyName where CustomerID=@CustomerID"

cmd = New SqlCommand(strQuery)

cmd.Parameters.AddWithValue("@CustomerID", "AZNL")

cmd.Parameters.AddWithValue("@CompanyName", "XYZ")

InsertUpdateData(cmd)

You can download the Sample source code in VB.Net And C# here

SQLQeriesADO.Net.zip (536.56 kb)

Posted: Feb 09 2009, 03:28 by Mudassar Khan | Comments (11)

Filed under: ADO.Net | C# | SQL Server | VB.Net

If you like this article, help us grow by bookmarking this page on any social bookmarking site.

Minimize Comments

Comments

Suthish Nair said:

Great Man.. you rocks...

great examples..keep updating..

# February 13 2009, 17:45

Waheed said:

Great Effort Muddasar khan ,
Nice examples with simple explaination
keep it up

Best Regards

# February 25 2009, 15:57

Vijay said:

hi !

smart work !! amazing positive point in this code is very easy to understand...$

# February 27 2009, 15:36

kathirvel said:

Explaining things in simple way is a skill in you.

# March 30 2009, 22:30

madhu said:

please can u send the commands to create , insert, delete, updeta, check the data in database without interacting with database please can u help me in this it would be great.

# April 29 2009, 01:54

Neha Jain said:

Great...
Whole ADO.net funda in one place.

# May 11 2009, 19:22

Mudassar Khan said:

Hi Madhu,

What did you meant by "without interacting with database"?

# May 11 2009, 19:38

VSS said:

Have you worked with ODP.net. If so, I have a small query.

After executing
m_objReaderData = .ExecuteReader(CommandBehavior.SingleResult)
Do while m_objReaderData.read

loop.

The first read takes a very long time. I have 900 rows.
If i check for .Hasrows, this is also taking long time.

How do i improve the performance while retrieving data.
I don't want to set fetchsize because i don't really know how many records will be retrieved.

Please help or if you could direct it to somebody who knows about ODP

Thanks

# May 17 2009, 16:01

Mudassar Khan said:

VVS,

Yes I have worked but not much.
I'll suggest try to fill a datatable instead of using datareader

# May 17 2009, 17:09

Sameer Ali Khan said:

good job....keep it up.....

# July 20 2009, 23:39

shekhar said:

Thankx its working perfectaly.

# October 06 2009, 17:12

Add comment

Name*
E-mail*
b i u quote

Comment
Preview

Notify me when new comments are added

0 + 0 = Incorrect

Translate this pageMicrosoft® Translator

Community News

Web Hosting SpotLight

Consulting

For consulting and work related queries click here.

Advertise

Advertise with us. For more details click here.

Suggestions

Please provide your valuable suggesstions here.

This Site is hosted on

Categories

Alerts

Thank you

Parameterized Queries ADO.Net

Comments

Add comment

Community News

Web Hosting SpotLight

Consulting

Advertise

Suggestions

This Site is hosted on