string format for long parameters

Question

I am building a string using the string.Format method. Often, I will have very long parameter lists for tables with many columns for example

string query = string.Format("{0},{1},{2},...,{30}", val1, val2, ...., val30);

Does C# have a more concise way of dealing with such strings?

You are building sql queries with `string.Format`?? Have you ever heard of sql-injection? — Tim Schmelter, Jun 13 '17 at 15:05
Not sure if there is a better way but just off the topic why dont you use a stored procedure that can take parameters rather than using string as query. Have you heard of SQL Injection? — Yawar Murtaza, Jun 13 '17 at 15:07
@TimSchmelter Indeed I have. This isn't a web facing application, and there probably will only be one user of the application. I'm reading from text files, doing some processing then insert into the database. The values do get "cleaned up" before database access. Thanks for mentioning that. — SleepingSpider, Jun 13 '17 at 15:11
@YawarMurtaza SQL injection had been mentioned previously. Thanks. — SleepingSpider, Jun 13 '17 at 15:13
Presumably your query will be run more than once with a different set of parameters, correct? If so, it's still beneficial to do the parameterized query due to giving the query planner an easier time. — Jesper Bangsholt, Jun 13 '17 at 15:15
@iab: there is never ever an excuse for using string concatenation instead of parameterized queries. Maybe you will never have any problems(sql-injection, localization issues, performance problems or wrong conversions). But maybe this will explode some time. Why you want to risk it? — Tim Schmelter, Jun 13 '17 at 15:15
Why is people down voting the question? While it is definitely not a good practice, that is exactly the kind of basic questions that I would like beginners to see, then find in the answers all the reasons not to follow the bad practice! — Bruno Guardia, Jun 13 '17 at 15:49

Patrick Hofman · Accepted Answer · 2017-06-13T15:12:22.560

1

You can use string interpolation:

$"{val1},{val2},{val3}"

But I have to warn you: do not build the SQL statement using string.Format and alike. Use parameterized queries!

edited Jun 13 '17 at 15:12

answered Jun 13 '17 at 15:07

Patrick Hofman

153,850
22
249
325

Thanks. Wasn't aware of string interpolation :) – SleepingSpider Jun 13 '17 at 15:36

score 0 · Answer 2 · answered Jun 13 '17 at 15:11

Do not build your queries with string.format or string interpolation

There are built in methods to safely parameterize your queries:

string sql = "SELECT name from student where id = @id";

using (SqlConnection connection = new SqlConnection(someConnectionString))
using (SqlCommand command = new SqlCommand(sql, connection))
{
    command.Parameters.Add(new SqlParameter("id", someIdVariable));
    var results = command.ExecuteReader();
}

score -1 · Answer 3 · edited Jun 13 '17 at 15:10

I am building SQL queries using the string.Format method.

Well, that's your first mistake. You're probably best of with one paramterized query.

But, ignoring that, your question was about building string. And the best way to do that is with the StringBuilder object:

var sql = new StringBuilder();
sql.AppendFormat("{0},{1},{2},", val1, val2, val3);
sql.AppendFormat("{0},{1},{2},", val4, val5, val6);

string format for long parameters

3 Answers3