Paramatise query without using ExecuteCommand

Asked May 24 '18 at 09:55

Active May 24 '18 at 09:55

Viewed 61 times

Given the query:

db.ExecuteCommand(
    "UPDATE ForumUserStats SET Posts += {0} WHERE UserID = {1} AND ForumID = {2}",
     -1, post.AuthorID, post.Forum.ID
);

There are various points in the code where it would be better to save the queries into a StringBuilder and then execute them in one ExecuteCommand statement.

How can I add a query like above into a string ready to execute at a later date without having a DataContext available?

Please note, string.format does not properly paramatise the properties for SQL (eg with DateTime and strings).

asked May 24 '18 at 09:55

Tom Gullen

61,249
84
283
456

1

By using `ExecuteCommand` directly, It looks like you are already moving away the conventions enforced from EF / Linq2Sql ORMs anyway. One of the more performant ways to do high frequency insert / upserts is to return to basic `ADO.Net`, establish a long lived Command (which in turn will use the established Connection Pool), and then you can [reuse the command](https://stackoverflow.com/a/21376455/314291) and then just rebind the values on each transaction. – StuartLC May 24 '18 at 10:01
1

Save both query and parameters? – Evk May 24 '18 at 10:02
You should look into [how does sqlparameter prevent sql injection](https://stackoverflow.com/questions/4892166/how-does-sqlparameter-prevent-sql-injection) – Mike May 24 '18 at 10:03

Paramatise query without using ExecuteCommand

0 Answers0