multiple inserts: advice needed

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" + value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr;
command.Parameters[1].Value = name_arr;
}
command.ExecuteNonQuery();


The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or is
there another technique that would allow me to do this more efficiently? By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis
 
Hi Oasis,

The point of the SQLParameter calls is that, using these calls, you can
avoid an entire array of attacks against your database. The data that is
passed as a parameter cannot corrupt the SQL string itself, like it could
you just appended things together. The attack mechanism is called SQL
Injection.

Your mechanism is sound.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
 
One more note:

Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
 
Thanks Nick, I just may do this.

Oasis

Nick Malik said:
One more note:

Since you had to cobble this together, why not write an article for one of
the programming sites in .Net explaining your tactics and what is happening
under the covers, so that the next person doesn't have to go through the
same difficulty.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
Oasis said:
Hello,

I'm new to c#. I have situation where I want to execute a number of insert
statements that differ only in a few dynamic values. When I was a Java
programmer, I would do this with a PreparedStatement, which will
supposedly
improve performance as well as make the setting of the dynamic values much
more convenient than building a long sql string filled with "', '" +
value1 +
"', '".

I think I've found the C# equivalent to the PreparedStatement in the
SqlCommand. Here is a working example of what I've done so far:

StringBuilder sb = new StringBuilder();
sb.Append("INSERT INTO my_table VALUES (");
sb.Append("@id, @name)");
SqlCommand command = new SqlCommand(sb.toString(), conn);
command.Parameters.Add("@id", SqlDbType.Int);
command.Parameters.Add("@name", SqlDbType.VarChar, 50);
command.Prepare();
for(int i = 0; i < some_array.Length; i++)
{
command.Parameters[0].Value = id_arr;
command.Parameters[1].Value = name_arr;
}
command.ExecuteNonQuery();


The above is working, but I had to cobble it together from a few other
examples and I'm not sure this is the best or easiest way. In Java's JDBC,
you don't have the step of adding the parameters
(command.Parameters.Add("@name", SqlDbType.VarChar, 50);) which can take
many
lines, depending on how many fields you're setting. In fact, I think this
step makes it almost as cumbersome as just building out the whole sql
string
with single quotes.

My question is: Is my example above a good way to do multiple inserts, or
is
there another technique that would allow me to do this more efficiently?
By
"efficiently", I mean web application performance and also programmer
convenience. I'm sure there are tons of developers in this situation, but
I
haven't been able to find many good examples out there.

I greatly appreciate any advice or feedback!

Oasis
Click to expand...
Click to expand...
 
Back
Top