A quick question: How to use variables in the SQL insertion string

G

Guest

Hello,

I am new to ADO.NET and SQL. What I am trying to do is very basic - to
insert some variable values into database. The following is the C# code:

private static void InsertIntoSqlDb(OleDbDataReader reader)
{

string insStr = "";
string list_no = reader.GetString(0);
string item_no = reader.GetString(1);
string description = reader.GetString(2);

string priceStr = reader.GetString(3);

insStr = "INSERT INTO dliTestDb (list, item, description, price) VALUES
(list_no, item_no, description, priceStr)";


SqlCommand cmd = new SqlCommand(insStr, conn);

//Insert
//
try
{
cmd.ExecuteNonQuery();
}
catch(Exception ex)
{
Console.WriteLine(ex);
}

}


Upon execution of the above, I got exception:



System.Data.SqlClient.SqlException: The name 'list_no' is not permitted in
this
context. Only constants, expressions, or variables allowed here. Column
names ar
e not permitted.
at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()

Doesn't any one know how to use variable names exactly in the SQL insertion
string?

Thanks.
 
W

William \(Bill\) Vaughn

You mean besides building a Command object and a Parameters collection?
We've talked about this a million times...

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
 
G

Guest

Hi Bill,

I am not sure I understand. As I said, I am new to the whole windows
programming. Things that are so obvious to you might not be so for me. So if
you are a "mentor", then pls answer the question in plain English or give a
reference. Otherwise. I don't see the usefulness.
Regards,

David
 
W

William \(Bill\) Vaughn

Sorry, I was looking at another message and typed the response.
Your problem is that you are trying to build an INSERT statement without
properly concatenating the variables into the string. Frankly, this is a
dangerous practice as it leads to SQL injection attacks. As I describe in my
article on handling parameters (see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnadonet/html/gazoutas.asp)
we suggest you create a Parameters collection and Add a Parameter for each
column in the INSERT. While this is more work, it deals with a litany of
problems. Yes, this article talks about stored procedures, but the Command
object construction is about the same.

hth

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
 
M

Mark Rae

we suggest you create a Parameters collection and Add a Parameter for each
column in the INSERT. While this is more work, it deals with a litany of
problems.
Click to expand...

It certainly is a lot more work, but the benefits by far outweigh the
additional effort.

I actually ended up writing a small WinForms utility to generate this code
automatically, so this process now takes me around 10 seconds per SQL Server
table...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How a commit a loop of inserting 2
How to contine inserting the rest record when a duplicate occur 3
about images in sql server 6
Finding the Text value of a column... 2
How to loop till the last or null row. 2
CLR stored procedure fails to rollback the transaction? 9
SQL Server dataset read from database A and write to database B 2
Using a parameter for the filename in an SQL query 3

Top