1

I am receiving a Dictionary<string, string> and would like to forward its values to the DB inside SqlParameter. Is that even possible? This is the way I did it, and I am getting an error that column name doesn't match table definition.

SqlParameter param = new SqlParameter();
param.ParameterName = "@Values";

var sb = new StringBuilder();
foreach (var item in data)
{
    sb.Append("'" + item.Value + "', ");
}
param.Value = sb.ToString().TrimEnd(',');

string insertString = $"insert into {tableName} values (@Values)";
SqlCommand command = new SqlCommand(insertString, connection);

command.Parameters.Add(param);
command.ExecuteNonQuery();
Improve this question
1

3 Answers 3

Reset to default
2

Sql server can't interpret the single variable you are passing as multiple values.
You can either generate your query with multiple variables, or use a table valued parameter.
For the first option, you must change the way you build your query:

var command = new SqlCommand();

var insertString = $"insert into {tableName} values (";
var sb = new StringBuilder(insertString);
int i = 0;
foreach (var item in data)
{
    sb.Append("@P").Append(i).Append(",");
    command.Parameters.Add("@P" + i, SqlDbType.VarChar).Value = item.Value;
    i++;
}
command.Connection = connection;
command.CommandText = sb.ToString().TrimEnd(",") + ");";
command.ExecuteNonQuery();

Note: Code was not tested, there might be some errors.

For the second option, You must use a stored procedure. I've never tried to pass table valued parameters to an inline query and I don't think it's possible.
This post (also linked in Alex K's comment) explains how to do that.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Is this prone to SQL injection?
only if the value of tableName comes from user input.
Is there a way to patch that part without hardcoding?
Not that I know of.
Solution is great...you're just missing the increment at the end of the loop
|
0

Each value in the "Values" part of you t-SQL must be enclosed with parenthesis.

So, just change this line:

    sb.Append("'" + item.Value + "', ");

to:

    sb.Append("('" + item.Value + "'),");  // note: no space after the ,

Your tSQL would look something like this: 

    insert into myTable values ('A', 'B', 'C',)

It needs to look like this (assuming you've only got 1 column in the table):

    insert into myTable values ('A'), ('B'), ('C')

And if your table contains multiple columns:

    insert into myTable (myColumn) values ('A'), ('B'), ('C')
Improve this answer

3 Comments

It's a good idea, but it doesn't work. I am getting Incorrect syntax near '@Values'. ...I suppose because it expects values to be enclosed in brackets in the first place
Guess I should have specified specifically that you need to change your insertString to (no need for the parameter if you're not using a stored proc): string insertString = $"insert into {tableName} values {sb.ToString().TrimEnd(',')}";
If done like that, it can be exploited. I needed parameter solution :)
0

I think the best is create a split function in mssql (million of example in internet)and a stored. Pass a string comma(for example) separated to the stored Who call the function. Sorry for no example but i'm with my smartphone

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.