问题
I Have a problem with a prepared statement in C#:
OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = ?";
cmd.Parameters.Add("@USER_ID", OdbcType.VarChar, 250).Value = email;
(of course email contains a valid email address, with @ sign).
This code returns a random error -
"The connection has been disabled" {"ERROR [01000] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]ConnectionWrite (send()). ERROR [08S01] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]General network error. Check your network documentation."}
However if I run my code without a prepared statement, meaning:
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = '"+email+"'";
Everything works perfectly.
Maybe it's related to the fact that I have a @ sign in the parametrized value? I tend to think I'm not the first one trying to create a prepared statement with an email address...
I have no idea what's wrong! Other prepared statements work normally...
Can you please help? :) Thanks, Nili
回答1:
Indeed, ODBC has its share of issues with supporting named parameters. However, certain usage of named parameters is possible.
For example, in your case the following syntax works:
OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = ?";
cmd.Parameters.Add("USER_ID", OdbcType.VarChar, 250).Value = email;
More tricky situation is when you don't have a unique match for the parameter like USER_ID = ?; e.g., when you want to use the IN operator in the WHERE clause.
Then the following syntax would do the job:
OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID IN (?, ?)";
cmd.Parameters.Add("?ID1", OdbcType.VarChar, 250).Value = email1;
cmd.Parameters.Add("?ID2", OdbcType.VarChar, 250).Value = email2;
Please note the usage of ? (question mark) instead of @ (at sign) within the parameter name. Although note that substitution of parameters' values in this case has nothing to do with their names, but only with their order with the parameters collection.
I hope this helps :-)
回答2:
Use '@USER_ID' instead of '?' and all should work:
OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = @USER_ID";
cmd.Parameters.Add("@USER_ID", OdbcType.VarChar, 250).Value = email;
回答3:
Is there a specific reason you're using OdbcCommand
rather than using the SqlClient
provider?
With the SqlClient
provider, you should be using named parameters as others have suggested.
But according to MSDN:
The .NET Framework Data Provider for OLE DB and .NET Framework Data Provider for ODBC do not support named parameters for passing parameters to an SQL statement or a stored procedure. In this case, you must use the question mark (?) placeholder, as in the following example.
So I'm not sure named parameters will work in this case.
来源:https://stackoverflow.com/questions/4954877/c-sharp-prepared-statements-sign-at-strudel-sign-queries