473,244 Members | 1,863 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,244 software developers and data experts.

multiple inserts: advice needed

Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" + value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or is
there another technique that would allow me to do this more efficiently? By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis
Jul 22 '05 #1
3 1597
Hi Oasis,

The point of the SQLParameter calls is that, using these calls, you can
avoid an entire array of attacks against your database. The data that is
passed as a parameter cannot corrupt the SQL string itself, like it could
you just appended things together. The attack mechanism is called SQL
Injection.

Your mechanism is sound.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com...
Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis

Jul 22 '05 #2
One more note:

Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com...
Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis

Jul 22 '05 #3
Thanks Nick, I just may do this.

Oasis

"Nick Malik [Microsoft]" wrote:
One more note:

Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com...
Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis


Jul 22 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: jason | last post by:
How does one loop through the contents of a form complicated by dynamic construction of checkboxes which are assigned a 'model' and 'listingID' to the NAME field on the fly in this syntax:...
2
by: Joe | last post by:
Hey, I'm going to give some background on my situation in case anyone can point out a way around my problem altogether... for the problem itself, please skip to the bottom of the post. thanks....
1
by: Primo | last post by:
Hello, I am building a data management application with the following processes: Process 1 is a Windows service which uses FileSystemWatcher to monitor a directory. Process 2 opens a file...
4
by: Steven Blair | last post by:
I am looking for some advice on the following problem: I am using a GridView and a SQLDataSource. The problem is based around a Room Booking app I am currently writing. When the user makes a...
3
by: Oasis | last post by:
Hello, I'm new to c#. I have situation where I want to execute a number of insert statements that differ only in a few dynamic values. When I was a Java programmer, I would do this with a...
2
by: Diego | last post by:
Hi everybody! I'm using DB2 PE v8.2.3 for linux. I've defined a database with the following schema: ANNOTATION(ID,AUTHOR,TEXT) ANNOTATION_BOOK(ANNOTATION_ID,OBJECT_ID)...
4
by: arak123 | last post by:
consider the following oversimplified and fictional code public void CreateInvoices(Invoice invoices) { IDbCommand command=Util.CreateDbCommand(); foreach(Invoice invoice in invoices) //lets...
9
by: dan | last post by:
within a loop i am building a sql insert statement to run against my (programatically created) mdb. it works but it seems unreasonably SLOW! Sorry, dont have the code here but the jist is very...
58
by: bonneylake | last post by:
Hey Everyone, Well recently i been inserting multiple fields for a section in my form called "serial". Well now i am trying to insert multiple fields for the not only the serial section but also...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.