C# get variable from textbox and use in ExecuteNonQuery as variable

Question

I have windows form app. And all i need is to load variable from textbox into script while using ExecuteNonQuery .

My code :

var connString = @"Data Source=serwer01;Initial Catalog=PolsatCyfrowy;Integrated Security=True;MultipleActiveResultSets=True";
FileInfo file = new FileInfo("C:\\Users\\Kolejki.sql");
SqlConnection conn = new SqlConnection(connString);
Server server = new Server(new ServerConnection(conn));
conn.Open();
string script = file.OpenText().ReadToEnd();
server.ConnectionContext.ExecuteNonQuery(script);

and my script named : Kolejki.sql looks:

declare variable1 VARCHAR (50)
set variable1 = '1234'
select * from table1 where id in(@variable1)

How can i just set variable1 = (text from textbox1? textbox1.Text) I just need only to use ExecuteNonQuery because its so long script and can't use SQLCommand - It's just example.

A Parameterized Query is the way to safely pass data from C# to an SQL statement, however it will not work with `IN()`, see https://stackoverflow.com/questions/2377506/pass-array-parameter-in-sqlcommand — Alex K., Jun 28 '18 at 12:21
Because don't have permission to create storedprocedure on this server . — Adam Zbudniewek, Jun 28 '18 at 13:16
You should get permission to create a stored procedure. Doing this by reading sql from a text file and then executing is a recipe for disaster. It is vulnerable to sql injection and my friend bobby tables loves this type of stuff. http://bobby-tables.com/ — Sean Lange, Jun 28 '18 at 14:11
Sounds like a good place to use LINQ - assuming your end game to execute against a collection of ids. — user2638401, Jun 28 '18 at 16:03
I dont care about SQL injection. It's gonna me my own program only for me to using can someone just give exmaple how to do that? :( Just put @variable into script executed by ExecuteNonQuery — Adam Zbudniewek, Jun 29 '18 at 09:29

C# get variable from textbox and use in ExecuteNonQuery as variable

0 Answers0