0

Using SQL parameters, I could insert a NULL value to the database using this sort of C# code:

string query = "INSERT INTO table_name (column_name) VALUES (@value)";
using (SqlConnection connection = new SqlConnection(/* connection info */))
{
    using (SqlCommand command = new SqlCommand(query, connection))
    {
        command.Parameters.Add("@value", DBNull.Value);
        command.ExecuteNonQuery();
    }
}

Not using parameters is usually considered to be bad practice, because of SQL-Injection and some other reasons. But, I am curious to know if there is a way to do so without using them. Something like this:

var nullValue = DBNull.value;
string query = "INSERT INTO table_name (column_name) VALUES (" + nullValue + ")";

or even:

string query = "INSERT INTO table_name (column_name) VALUES (\\NULL\\)";

or whatever. Thanks.

Improve this question
2
  • What problem you are facing? Commented May 9, 2016 at 5:27
  • I do not face a problem. I am just curious. :) Commented May 9, 2016 at 5:33

2 Answers 2

Reset to default
11

Uhmm yes. You could do that, if you are certain that the column should always be NULL, then you could simply write the SQL statement in a full string, like this.

string query = "INSERT INTO table_name (column_name) VALUES (NULL)";

If you take input from a user, then NEVER do this, this is exactly how you get injected. 

var nullValue = DBNull.value;
string query = "INSERT INTO table_name (column_name) VALUES (" + nullValue + ")";

The injection would happen if the nullValue contained something like the string NULL); DROP TABLE table_name. Where the NULL); just completes your own SQL allowing for more SQL code to wreak havoc on your data.

The first rule of web development. NEVER EVER trust user data. Use parameters.

using(SqlConnection connection = new SqlConnection("connection_String"))
{
    string query = "INSERT INTO table_name (column_name) VALUES (@val1)";

    using(SqlCommand inputQuery = new SqlCommand(query))
    {
        inputQuery.Connection = openCon;
        inputQuery.Parameters.AddWithValue("@val1", DBNull.Value);
        try
        {
            connection.Open();
            int recordsAffected = inputQuery.ExecuteNonQuery();
        }
        catch(SqlException)
        {
            // error here
        }
        finally
        {
            connection.Close();
        }
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

Please try this..

command.Parameters.AddWithValue(
"@ProductName",
// this requires a cast as ?: must return the same type
String.IsNullOrWhiteSpace(productName)
    ? (object)DBNull.Value
    : (object)productName
);
Improve this answer

1 Comment

Your code uses parameters... I want to know how to do this without using them. Thank. :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.