2

I have a simple query where in FROM I've got something like:

WHERE ([Comment]  LIKE '%something%'
      OR [Comment] LIKE '%aaaa%'
      OR [Commnet] LIKE '%ccc') 
AND Replace([Number], ' ', '') = @number

Unfortunetly this is now hardcoded in code so if anything changes (more OR's on the [Comment] field I have to go and change it in the code. Is it possible to pass [Comment] like a parameter with multiple values (unknown to me) so I would create some SQL Table with every comment I want to use in that query (and users would be able to add new ones from within program so it would be taken care of automatically?

  using (var varConnection = Locale.sqlConnectOneTime(Locale.sqlDataConnectionDetails)) 
        using (var sqlQuery = new SqlCommand(preparedCommand, varConnection)) {
            sqlQuery.Parameters.AddWithValue("@number", varNumber);
            using (var sqlQueryResult = sqlQuery.ExecuteReader())
                while (sqlQueryResult.Read()) {
                    string varID = sqlQueryResult["ID"].ToString();

                }
        }
Improve this question

2 Answers 2

Reset to default
2

You can use table value parameters in SQL Server 2008.

For earlier versions, you could pass in an XML parameter and parse the data with XPath.

For good in depth analysis of the different options, read this article by Erland Sommarskog (SQL Server 2005) and the additional article about SQL Server 2008.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Seems like a great article resources :-) Lots of reading. Thanx
1

Even if the solution of Oded seems to be the best way to go (which i also didn't know till now), i currently built up the command and parameters in some way automatically like this (which doesn't currently match your problem, cause you're using like):

// Some sql statement with a placeholder for all parameters (@ID0, @ID1, @ID2, ...)
string sql = "select * from table where ID in ( {0} )";

// Create a list of items of @ID0, 3; @ID1, 8; ...
var parameters = myList.Where(item => item.MatchesSomeCondition())
                       .Select((item, index) => new
                               {
                                   Name = "@ID" + index,
                                   Value = item.ID
                               });

// Add all parameters to the sqlCmd
foreach(parameter in parameters)
{
    sqlCmd.Parameters.AddWithValue(parameter.Name, parameter.Value);
}

// Insert all @IDx into the sql statement
// Result: "select * from table where ID in ( @ID0, @ID1, @ID2, ... )"
sqlCmd.CommandText = String.Format(sql, String.Join(", ", parameters.Select(parameter => parameter.Name).ToArray()
Improve this answer

2 Comments

What about SQL Injection? Will it not be a problem in this case?
@MadBoy: Not really, due to the fact that you work with real parameters. The only what will be "injected" into the statement will be the names of the parameters not their content. And that a parameter can't "break out" is a problem of the SqlCommand class and the sql server itself.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.