471,338 Members | 932 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,338 software developers and data experts.

multiple inserts: advice needed

Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" + value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or is
there another technique that would allow me to do this more efficiently? By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis
Jul 22 '05 #1
3 1506
Hi Oasis,

The point of the SQLParameter calls is that, using these calls, you can
avoid an entire array of attacks against your database. The data that is
passed as a parameter cannot corrupt the SQL string itself, like it could
you just appended things together. The attack mechanism is called SQL
Injection.

Your mechanism is sound.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com...
Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis

Jul 22 '05 #2
One more note:

Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com...
Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis

Jul 22 '05 #3
Thanks Nick, I just may do this.

Oasis

"Nick Malik [Microsoft]" wrote:
One more note:

Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
"Oasis" <Oa***@discussions.microsoft.com> wrote in message
news:41**********************************@microsof t.com...
Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr[i];
command.Parameters[1].Value = name_arr[i];
}
command.ExecuteNonQuery();
The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis


Jul 22 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Steven Blair | last post: by
3 posts views Thread by Oasis | last post: by
2 posts views Thread by Diego | last post: by
reply views Thread by rosydwin | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.