MySqlCommand Command.Parameters.Add is obsolete

c# mysql parameters deprecated sqlcommand
Mathlight picture Mathlight · Nov 27, 2012 · Viewed 52.2k times · Source

I'm making an C# windows Form Application in visual studio 2010.

That application is connecting to an mysql database, and I want to insert data in it.

Now do I have this part of code:

MySqlConnection connection;
string cs = @"server=server ip;userid=username;password=userpass;database=databse";
connection = new MySqlConnection(cs);
connection.Open();

MySqlCommand command = new MySqlCommand();
string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES ('@mcUserName', '@mcUserPass', '@twUserName', '@twUserPass')";
command.CommandText = SQL;
command.Parameters.Add("@mcUserName", mcUserNameNew);
command.Parameters.Add("@mcUserPass", mcUserPassNew);
command.Parameters.Add("@twUserName", twUserNameNew);
command.Parameters.Add("@twUserPass", twUserPassNew);
command.Connection = connection;
command.ExecuteNonQuery();
connection.Close();

The connection is fine. That works.

I readed here that the way that I have now, is an save way to do query's. Is that still right?

And now to the real question. With that code above, I get the following warning in visual studio:

'MySql.Data.MySqlClient.MySqlParameterCollection.Add(string, object)' is obsolete: '"Add(String parameterName, Object value) has been deprecated.  Use AddWithValue(String parameterName, Object value)"'

That warning is for every parameters.add

And it isn't even working, because the values that are inserted are @mcUserName, @mcUserPass and so on, instead of the values that the variables mcUserNameNew and so on are holding...

So my question is, am I doing something wrong, and what is the new way to sql injection save do an query?

Answer

John Woo picture John Woo · Nov 27, 2012

try AddWithValue

command.Parameters.AddWithValue("@mcUserName", mcUserNameNew);
command.Parameters.AddWithValue("@mcUserPass", mcUserPassNew);
command.Parameters.AddWithValue("@twUserName", twUserNameNew);
command.Parameters.AddWithValue("@twUserPass", twUserPassNew);

and don't wrap the placeholders with single quotes.

string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES (@mcUserName, @mcUserPass, @twUserName, @twUserPass)";

Related questions

Configuration System Failed to Initialize

I'm new to Visual Studio. I'm currently creating a Login form. I have this code. string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString; try { using (OdbcConnection connect = new OdbcConnection(connectionString)) { connect.Open(); OdbcCommand cmd = new OdbcCommand("SELECT username, password FROM receptionist", connect); …

Read More
How to connect to MySQL Database?

New to C# programming, I'd like to be able to access MySQL Databases. I know MySQL connector/NET and MySQL for Visual Studio are required for C# development. Do I need to install them into my app? Is it possible …

Read More
Index (zero based) must be greater than or equal to zero

Hey I keep getting an error: Index (zero based) must be greater than or equal to zero and less than the size of the argument list. My code: OdbcCommand cmd = new OdbcCommand("SELECT FirstName, SecondName, Aboutme FROM User WHERE UserID=1", …

Read More