user14443684
Reputation:
C# | Use parameter in SqlCommand query
I have this ASP.NET Core project and in my DAL I collect my data from my database, but I want the user to be able to type a type character (Karakter is character in Dutch) and the DAL should pick 2 random characters from the database with KarakterSoort = "Defensive".
This is my current code in my DAL:
public IEnumerable<IKarakter> GetSortedKarakters()
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = 'Defensive' ORDER BY NEWID();", connection);
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
And this is what I think should be in the right direction of the solution:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = givenStringFromUser ORDER BY NEWID();", connection);
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
I can't find how to make this work so I figured I ask my question here.
Upvotes: 2
Views: 2034
Answers (2)
marc_s
Reputation: 754230
You need to add a SqlParameter and set its value:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @UserInput ORDER BY NEWID();", connection);
command.Parameters.Add("@UserInput", SqlDbType.VarChar, 100).Value = givenStringFromUser;
connection.Open();
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
connection.Close();
return sortedKarakters;
}
}
Upvotes: 1
IMujagic
Reputation: 1259
You have to provide your filter value to the sql query. Also, don't put it directly to query string, but use SqlCommand parameters. That will save you for the unwanted sql injection.
Something like this should work:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @filterValue ORDER BY NEWID();", connection);
command.Parameters.Add("@filterValue", SqlDbType.VarChar).Value = givenStringFromUser;
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
Upvotes: 1
Related Questions
- How to include parameters inside 'SqlCommand' sentence and after set theirs values?
- parameterized sql query - asp.net / c#
- C# SqlCommand command with parameter in the middle of query
- C# & SQL Server : add parameter to query
- Use SQL command as a parameter value in C#
- How to use parameterized queries in SqlDataSource.SelectCommand in code behind?
- SqlCommand with Parameters
- How to insert sql parameter inside a text query
- SqlCommand with parameters as a string
- ASP.NET parameters calling in SQL command (code behind)