-1

I have the following query string:

INSERT INTO cibi ([nome], [Zuccheri_100g], [tipo], [Nome_EN], [Nome_DE],[Nome_ES], [DefaultAmt])
VALUES ('{1}', {2}, {3}, '{4}', '{5}', '{6}', {7})

Now I have a list of strings called values that I want to replace into the numbers. What is the code I should use? Should I use replace?

Thanks

JNevill
  • 46,980
  • 4
  • 38
  • 63
user1238784
  • 2,250
  • 3
  • 22
  • 41
  • What language are you writing this in? – JNevill Apr 30 '18 at 15:12
  • C# visualstudio 2018 – user1238784 Apr 30 '18 at 15:13
  • This depends more on your ORM rather than your SQL expression. Which framework or library are you using to execute this insert? – EzLo Apr 30 '18 at 15:18
  • 4
    You should ***NOT*** use such a "manually building up" your SQL statement approach. Your system will be **wide open** to SQL injection - the OWASP #1 vulnerability on the net. You must use **parametrized queries** instead and set the parameter values properly – marc_s Apr 30 '18 at 15:23
  • You want to use parameter binding here. Trying to roll your own binding with `replace()` will lead you down a dark and painful path. [Read here how to parameterize your query in C# with sql server and bind to those parameters](https://msdn.microsoft.com/en-us/library/z72eefad.aspx). It's easy, and it saves you from sql injection. Write all of your sql (that require parameters) using this method as a matter of habit. If you aren't using `sql-server` then whatever RDBMS you are using and it's library in C# should support some form of this out of the box. – JNevill Apr 30 '18 at 15:35

1 Answers1

0

As suggested by marc and JNevill, use sql parameters when composing your query string. I assume your values variable is always a 7-element array of strings

using System.Data;
using System.Data.SqlClient;

DataTable myDataTable = new DataTable();

using (SqlConnection sqlConnection = new SqlConnection(.....)
{
    using (SqlCommand sqlCommand = new SqlCommand())
    {
        sqlCommand.Connection = sqlConnection;
        sqlCommand.CommandType = CommandType.Text;

        sqlCommand.Parameters.AddWithValue("@V0", values[0]);
        sqlCommand.Parameters.AddWithValue("@V1", values[1]);
        sqlCommand.Parameters.AddWithValue("@V2", values[2]);
        sqlCommand.Parameters.AddWithValue("@V3", values[3);
        sqlCommand.Parameters.AddWithValue("@V4", values[4]);
        sqlCommand.Parameters.AddWithValue("@V5", values[5]);
        sqlCommand.Parameters.AddWithValue("@V6", values[6]);

        string queryStr = "INSERT INTO cibi ([nome], [Zuccheri_100g], [tipo], [Nome_EN], [Nome_DE],[Nome_ES], [DefaultAmt]) VALUES (@V0, @V1, @V2, @V3, @V4, @V5, @V6)";

        sqlCommand.CommandText = queryStr;
        sqlConnection.Open();
        SqlDataReader sqlDataReader = sqlCommand.ExecuteReader();
        myDataTable.Load(sqlDataReader);
        sqlConnection.Close();
    }
}
VA systems engineer
  • 2,856
  • 2
  • 14
  • 38
  • Notice the using keyboard will close your connection automatically after the code is finish. Is important to know this hidden functionality. – Juan Apr 30 '18 at 17:25
  • the `sqlConnection.Close()` statement closes the connection. The `using` keyword disposes of the `sqlConnection` and `sqlCommand` objects. **The using keyword has two major uses: #2: As a statement, when it defines a scope at the end of which an object will be disposed**. [using (C# Reference)](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/using) – VA systems engineer Apr 30 '18 at 17:29
  • I was trying to say that if you don't say close the using statement will close the connection and the end or if an exception rise inside. Please see https://stackoverflow.com/questions/4717789/in-a-using-block-is-a-sqlconnection-closed-on-return-or-exception – Juan Apr 30 '18 at 17:35
  • I don't think that a `using` statement (i.e., a `dispose`) closes the connection. I think it just releases the connection back to the pool. See answer to [Why is my using statement not closing connection?](https://stackoverflow.com/questions/9133473/why-is-my-using-statement-not-closing-connection). I prefer an explicit close. – VA systems engineer Apr 30 '18 at 17:48
  • 1
    @Juan: My apologies - I take it back. I ran a Visual Studio 2017 code analysis and it's warning me about the combination of my `using` statement and my `sqlConnection.Close()` statement. The warning says: `Warning CA2202 Object 'sqlConnection' can be disposed more than once in method 'DataAccessLayer.GetDbTableList()'. To avoid generating a System.ObjectDisposedException you should not call Dispose more than one time on an object.`. This warning goes away when I remove my `sqlConnection.Close()` statement. So, it seems that a `Close` statement may also dispose of the object? – VA systems engineer May 01 '18 at 12:34
  • 1
    Hi @Nova I also was trying to get solid information about this. The thing is in the sql connection, when you call dispose to this type of object in the dispose code you can find the close call, I took a look using dotnetpeek to the sqlconnection class where you can find the code of the dispose and the close call. Please find an image here https://drive.google.com/open?id=15b8_stSOMEccHtZSVGsJQEMWLwu99agB this conversation is helpful because can help others, thanks. I will take a look to the code analysis also. – Juan May 01 '18 at 12:52
  • 1
    Regarding of if the close method call the dispose, this is correct. Inside the close method other method is call named CloseConnection in this method the dispose is called. You can see all the code using jetbrain donet peek. Open the sql.data.sqlclient library and go to sqlconnection then to the close method and you can see the code and can use go to declaration to navigate the calls. – Juan May 02 '18 at 00:15