Hello,
I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" + value1 +
"', '".
I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:
StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql string
with single quotes.
My question is: Is my example above a good way to do multiple inserts, or is
there another technique that would allow me to do this more efficiently? By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but I
haven't been able to find many good examples out there.
I greatly appreciate any advice or feedback!
Oasis
3  1601 
Hi Oasis,
The point of the SQLParameter calls is that, using these calls, you can
avoid an entire array of attacks against your database. The data that is
passed as a parameter cannot corrupt the SQL string itself, like it could
you just appended things together. The attack mechanism is called SQL
Injection.
Your mechanism is sound.
--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster http://blogs.msdn.com/nickmalik
Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com... Hello,
I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".
I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:
StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.
My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.
I greatly appreciate any advice or feedback!
Oasis
One more note:
Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.
--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster http://blogs.msdn.com/nickmalik
Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com... Hello,
I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".
I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:
StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.
My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.
I greatly appreciate any advice or feedback!
Oasis
Thanks Nick, I just may do this.
Oasis
"Nick Malik [Microsoft]" wrote: One more note:
Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.
--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik
Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com... Hello,
I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".
I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:
StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.
My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.
I greatly appreciate any advice or feedback!
Oasis
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: jason |
last post by:
How does one loop through the contents of a form complicated by dynamic
construction of checkboxes which are assigned a 'model' and 'listingID' to
the NAME field on the fly in this syntax:...
|
by: Joe |
last post by:
Hey,
I'm going to give some background on my situation in case anyone can
point out a way around my problem altogether... for the problem
itself, please skip to the bottom of the post. thanks....
|
by: Primo |
last post by:
Hello,
I am building a data management application with the following processes:
Process 1 is a Windows service which uses FileSystemWatcher to monitor a
directory.
Process 2 opens a file...
|
by: Steven Blair |
last post by:
I am looking for some advice on the following problem:
I am using a GridView and a SQLDataSource.
The problem is based around a Room Booking app I am currently writing.
When the user makes a...
|
by: Oasis |
last post by:
Hello,
I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a...
|
by: Diego |
last post by:
Hi everybody!
I'm using DB2 PE v8.2.3 for linux. I've defined a database with the
following schema:
ANNOTATION(ID,AUTHOR,TEXT)
ANNOTATION_BOOK(ANNOTATION_ID,OBJECT_ID)...
|
by: arak123 |
last post by:
consider the following oversimplified and fictional code
public void CreateInvoices(Invoice invoices)
{
IDbCommand command=Util.CreateDbCommand();
foreach(Invoice invoice in invoices) //lets...
|
by: dan |
last post by:
within a loop i am building a sql insert statement to run against my
(programatically created) mdb. it works but it seems unreasonably SLOW!
Sorry, dont have the code here but the jist is very...
|
by: bonneylake |
last post by:
Hey Everyone,
Well recently i been inserting multiple fields for a section in my form called "serial". Well now i am trying to insert multiple fields for the not only the serial section but also...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
