5
\$\begingroup\$

I'm just starting out to learn all about sql databases. For now based on previous suggestions that was given to me online, I've incorporated a using statement to avoid problems in sql connection and then I applied parameterized queries to avoid sql injection. I was also been given an advice to use sqlparameter arrays to supplement the parameterized queries that i implemented. I just want to know if there are other techniques that you would recommend to improve my code, which i will indicate below. Feel free to suggest better solutions.

using (SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["brandsConnection"].ToString())) { string query = "UPDATE [guitarBrands] SET type = @type, name = @name, image = @image WHERE id = @id"; SqlParameter[] p = new SqlParameter[4]; p[0] = new SqlParameter("@type", newType.Text); p[1] = new SqlParameter("@name", newName.Text); p[2] = new SqlParameter("@image", newImage.Text); p[3] = new SqlParameter("@id", id); connection.Open(); using (SqlCommand command = new SqlCommand(query, connection)) { GetExample(command, p); command.ExecuteNonQuery(); connection.Close(); command.Parameters.Clear(); } } public void GetExample(SqlCommand command, params SqlParameter[] p) { if (p != null && p.Any()){ command.Parameters.AddRange(p); } }
\$\endgroup\$
1

1 Answer 1

Reset to default
6
\$\begingroup\$

Stacking the using statements

I am particularly difficult to please with code that has nesting, and I highly prefer to stack the usings when it is possible.

using (SqlConnection connection = ...) { using (SqlCommand command = ...) { ... } }

versus

using (SqlConnection connection = ...) using (SqlCommand command = ...) { ... }

Exception Handling

You should include exception handling into your code, as it will likely throw an exception sooner or later (such as getting disconnected, network issues, etc.)

using (SqlConnection connection = ...) using (SqlCommand command = ...) { try { // open the connection, execute, etc } catch { // log and handle exception(s) } }

Using Lists not Arrays

It would likely do you more harm than good to be using an array, especially in the context of maintainable code. I would recommend you switch to using Lists, like this:

List<SqlParameter> p = new List<SqlParameter>(); p.Add(new SqlParameter("@type", newType.Text)); p.Add(new SqlParameter("@name", newName.Text)); p.Add(new SqlParameter("@image", newImage.Text)); p.Add(new SqlParameter("@id", id));

This will let you introduce more items into your parameters without having to do deal with the headaches of explicitly indexing.

Note: If you want to keep the same method signature for yourGetExample()method, then don't forget to pass the parameters as an array --- you could useToArray()to accomplish that.

Here it all is together...

string query = "UPDATE [guitarBrands] SET type = @type, name = @name, image = @image WHERE id = @id"; using (SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["brandsConnection"].ToString())) using (SqlCommand command = new SqlCommand(query, connection) { try { // open the connection, execute, etc List<SqlParameter> p = new List<SqlParameter>(); p.Add(new SqlParameter("@type", newType.Text)); p.Add(new SqlParameter("@name", newName.Text)); p.Add(new SqlParameter("@image", newImage.Text)); p.Add(new SqlParameter("@id", id)); connection.Open(); GetExample(command, p.ToArray()); command.ExecuteNonQuery(); command.Parameters.Clear(); } catch { // log and handle exception(s) } }
\$\endgroup\$
2
  • \$\begingroup\$Fail. Use query before it is defined\$\endgroup\$
    – paparazzo
    CommentedMay 24, 2017 at 19:29
  • \$\begingroup\$@Svek - thank you for the brand new technique.\$\endgroup\$
    – RockStar
    CommentedMay 25, 2017 at 8:37

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.