In SqlCommand.Parameter.Add() method, length Parameter is compulsory or not?

Question

cmd.Parameters.Add("@blah", SqlDbType.VarChar).Value = blah;

In this code length of parameter is compulsory or not?

Also, if we are not using length parameter in this method any performance or SQL injection related issue is occurred ?

Please suggest me Thanks

Answer 1

If you omit the length argument it creates the argument with the size of your data

cmd.Parameters.Add("@blah", SqlDbType.VarChar).Value = "this is 22 chars long.";

it creates a parameter of type VarChar(22). It is possible that sql server uses that parameter information before doing any work to see if data fits to the column (I'd do that).

Answer 2

in this code length of parameter is compulsory or not?

I don't think it is compulsory. But it would be a good practice when you clarify it. SqlParameterCollection.Add(String, SqlDbType) takes SqlDbType as a second parameter and the length of parameter is not required. Just a tip; if your column is varchar(max), then you should use VarChar as a db type.

and if we are not using length parameter in this method any performance or SQL injection related issue is occurred ?

Performance issue looks irrelevant because length is not must. And since you use parameterized sql in your queries, you should not worry about SQL Injection attacks.

Answer 3

Since it passed as parameter, i don't think any issue will arise regards to Injection. Regarding length if you use varchar(max), that will lead to performance issue as it internally keeps that type as text.

FInally it is not required to use lengh while passing an parameter