C# Prepared Statements - @ sign (at / strudel sign) queries

Nili picture Nili · Feb 10, 2011 · Viewed 15.1k times · Source

I Have a problem with a prepared statement in C#:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = ?";
cmd.Parameters.Add("@USER_ID", OdbcType.VarChar, 250).Value = email;

(of course email contains a valid email address, with @ sign).

This code returns a random error -

"The connection has been disabled" {"ERROR [01000] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]ConnectionWrite (send()). ERROR [08S01] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]General network error. Check your network documentation."}

However if I run my code without a prepared statement, meaning:

cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = '"+email+"'";

Everything works perfectly.

Maybe it's related to the fact that I have a @ sign in the parametrized value? I tend to think I'm not the first one trying to create a prepared statement with an email address...

I have no idea what's wrong! Other prepared statements work normally...

Can you please help? :) Thanks, Nili

Answer

Lev picture Lev · May 15, 2011

Indeed, ODBC has its share of issues with supporting named parameters. However, certain usage of named parameters is possible.

For example, in your case the following syntax works:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = ?";
cmd.Parameters.Add("USER_ID", OdbcType.VarChar, 250).Value = email;

More tricky situation is when you don't have a unique match for the parameter like USER_ID = ?; e.g., when you want to use the IN operator in the WHERE clause.

Then the following syntax would do the job:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID IN (?, ?)";
cmd.Parameters.Add("?ID1", OdbcType.VarChar, 250).Value = email1;
cmd.Parameters.Add("?ID2", OdbcType.VarChar, 250).Value = email2;

Please note the usage of ? (question mark) instead of @ (at sign) within the parameter name. Although note that substitution of parameters' values in this case has nothing to do with their names, but only with their order with the parameters collection.

I hope this helps :-)