15

The program is in C#, and I'm trying to pass a List<string> as a parameter.

List<string> names = new List<string>{"john", "brian", "robert"};

In plain SQL, the query will look like this:

DELETE FROM Students
WHERE name = 'john' or name = 'brian' or name = 'robert'

When running a SQL command in C# code, I know that the proper way of doing it is to use parameters instead of concatenating everything into one giant string.

command.CommmandText = "DELETE FROM Students WHERE name = @name";
command.Parameters.Add(new MySqlParameter("@name", String.Format("'{0}'", String.Join("' or name = '", names)));
command.NonQuery();

The above method did not work. It didn't throw any error/exception, it just simply didn't work the way I want it to.

How should I go about doing this?

I thought about looping through the List<string> and just execute on every single name. 

foreach(string name in names)
{
    command.CommmandText = "DELETE FROM Students WHERE name = @name";
    command.Parameters.Add(new MySqlParameter("@name", name));
    command.NonQuery();
    command.Parameters.Clear();
}

But this will take a long time as the actual List<string> is quite large. I want to try execute at little as possible.

Thanks!

sora0419
  • 2,308
  • 9
  • 39
  • 58
  • 2
    command.CommmandText = "DELETE FROM Students WHERE name in( @name )"; – Hackerman Mar 04 '14 at 15:46
  • You cannot include SQL commands in the value of a parameter. In this case you are literally comparing name to "john or name = brian or name = robert" – juharr Mar 04 '14 at 15:49
  • 2
    @RobertRozas You cannot put a list of values into one parameter. – juharr Mar 04 '14 at 15:53
  • I know, it's just a comment, but the right solution is to use IN...and parameterize each value...or implode the array and glue to match the IN format – Hackerman Mar 04 '14 at 15:55
  • Actually you can just as easily write code to add `name = @n1 or name= @n2 or name = @n3` to the query and create all the parameters. Using `In` makes for more concise code, but the main point is that you need more than one parameter here. – juharr Mar 04 '14 at 15:59

1 Answers1

27

You can parameterize each value in the list in an IN clause:

List<string> names = new List<string> { "john", "brian", "robert" };
string commandText = "DELETE FROM Students WHERE name IN ({0})";
string[] paramNames = names.Select(
    (s, i) => "@tag" + i.ToString()
).ToArray();

string inClause = string.Join(",", paramNames);
using (var command = new SqlCommand(string.Format(commandText, inClause), con))
{
    for (int i = 0; i < paramNames.Length; i++)
    {
        command.Parameters.AddWithValue(paramNames[i], names[i]);
    }
    int deleted = command.ExecuteNonQuery();
}

which is similar to:

"... WHERE Name IN (@tag0,@tag1,@tag2)"

command.Parameters["@tag0"].Value = "john";
command.Parameters["@tag1"].Value = "brian";
command.Parameters["@tag2"].Value = "robert";

Adapted from: https://stackoverflow.com/a/337792/284240

Community
  • 1
  • 1
Tim Schmelter
  • 450,073
  • 74
  • 686
  • 939