Using SQLParameter in C#

In this post , I am going to show you how to use Sqlparameter class and it's methods and properties in C#.

Sqlparameter class is contained in System.Data.SqlClient Namespace. The properties and methods of this class is used when interacting with database. Sometimes, we want to filter data to be entered in database based on user input, in that case we can use sqlparameter Class. Also in another case, for example if we want to insert data in database, we generally use Sqlcommand class to directly insert values in database, which can lead to SQL Injection problem. So to avoid this problem , we can use Sqlparameter Class to insert data by using parameters.

SqlParameter para1 = new SqlParameter()

- Creating new instance of Sqlparameter.

ParameterName

=Name of the Parameter.

value

= Value of the parameter.

Below Program is using Sqlparameter class to insert data into Database using Windows Form Application.

Connection.cs File

using System;
using System.Data;
using System.Data.SqlClient;
namespace UseOfSQLParameter
{
    class Connection
    {
     public SqlConnection getcon()
     {
      SqlConnection con = new SqlConnection("data source=VISHAL-PC\\SQL2014; database=Test;uid=sa;password=sa@123");
      con.Open();
      return con;
     }
    }
}

Main Program.

using System;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace UseOfSQLParameter
{
    public partial class Form1 : Form
    {
     Connection conn = new Connection();
     public Form1()
     {
      InitializeComponent();
      comboBox1.Items.Add("Andhra Pradesh");
      comboBox1.Items.Add("Goa");       comboBox1.Items.Add("Rajasthan");
      comboBox1.Items.Add("Hariyana");
      comboBox1.Items.Add("Maharashtra");
      comboBox1.Items.Add("Delhi");
     }
     private void button1_Click(object sender, EventArgs e)
     {
      SqlConnection sqlcon = conn.getcon();
      SqlCommand cmd = new SqlCommand();
      SqlParameter para1 = new SqlParameter();
      {
       para1.ParameterName = "@name";
       para1.Value = textBox1.Text;
      }
      SqlParameter para2 = new SqlParameter();
      {
       para2.ParameterName = "@state";
       para2.Value = comboBox1.SelectedItem;
      }
      SqlParameter para3 = new SqlParameter();       {
       para3.ParameterName = "@joindate";
       para3.Value = dateTimePicker1.Value;
      }
      SqlParameter para4 = new SqlParameter();
      {
       para4.ParameterName = "@exp";
       para4.Value = textBox4.Text;
      }
      cmd.Parameters.Add(para1);
      cmd.Parameters.Add(para2);
      cmd.Parameters.Add(para3);
      cmd.Parameters.Add(para4);
      cmd.CommandText = "INSERT INTO tbl_Record (Name,State,joindate,Experience) values(@name,@state,@joindate,@exp);";
      cmd.Connection = sqlcon;
      cmd.CommandType = CommandType.Text;
      cmd.ExecuteNonQuery();
      MessageBox.Show("Employee Details Saved");
     }
    }
}

Output