5

I am using Connector/Net 6.8.3 for a C# project and have been using it (or prior versions) for quite some time.

As I look through legacy code, I see several variations related to parameterized queries and have been attempting to determine what the differences are and if there's a best practice.

The query string:

  • Example 1: cmd.CommandText = "UPDATE table SET thing = @value;";

  • Example 2: cmd.CommandText = "UPDATE table SET thing = ?value;";

Adding parameters:

  • Example 3: cmd.Parameters.AddWithValue("@value", user_value);

  • Example 4: cmd.Parameters.AddWithValue("?value", user_value);

  • Example 5: cmd.Parameters.AddWithValue("value", user_value);

All of these variations seem to work. I haven't been able to find in the official documentation anything that explains the difference in prefix usage (@ vs ?). However, this devart.com page suggests the following:

  • Unnamed parameters can be specified as '?' symbol.
  • Named parameters are declared using ':' or '@' prefix followed by name of the parameter. Note that the name of the MySqlParameter object in the collection of the command should contain the '@' prefix if parameter in CommandText is used with the '@' prefix. If the parameter in CommandText contains the ':' prefix, the name of the MySqlParameter object in the command's collection should be used without any prefix.

The last point has some grammatical issues, but the examples shown seem to indicate that when using '@' the statement cmd.Parameters.AddWithValue("@value", user_value); should include the '@' as well, but not when using ':'.

However, in many of the functioning methods that I am reviewing, the query uses '@' in the command text (Example 1), but not in the AddWithValue() statement (Example 5).

Questions:

  • What are the potential consequences of omitting the prefix when adding a parameter? (Example 5)

  • Is there no reason to add a parameter name when using the '?' prefix, because it is intended for unnamed parameters? (Example 2)

JYelton
  • 35,664
  • 27
  • 132
  • 191

1 Answers1

8

The answer to your questions:

Example 5 uses a named parameter object. The use of this is so:

cmd.CommandText = "UPDATE table SET thing = :value;";
cmd.Parameters.AddWithValue("value", user_value);

You can compare with this:

cmd.CommandText = "UPDATE table SET thing = @value;";
cmd.Parameters.AddWithValue("@value", user_value);

Notice that the '@' is not used when using the colon. Atleast, that is how it should be. It may work the other way because internally the representations would be the same.

The use of unnamed parameter is little different.

cmd.CommandText = "UPDATE table SET thing = ?;";
cmd.Parameters.AddWithValue("anyname", user_value);

The name of the parameter could most probably be anything and it would be just taken in from the index value.

While named parameters will be accessed by name the unnamed ones are used by index value, potentially assigning wrong values like this:

cmd.CommandText = "UPDATE table SET thing1 = ?, thing2 = ?;";
cmd.Parameters.AddWithValue("anyname1", user_value2);
cmd.Parameters.AddWithValue("anyname2", user_value1);

Here the 'user_value2' which should have been assigned to 'thing2' gets assigned to 'thing1' because it appears first in the index.

enter image description here

Gaurav Joseph
  • 927
  • 14
  • 25
  • So if I use strictly named parameters, using the `@` (which I prefer), is there any reason to also use `@` in the argument for `AddWithValue`? It seems to work either way. – JYelton Feb 15 '14 at 22:14
  • Not necessarily but would be preferable to make your code future proof, in case the developers decide that the code should be more strict. – Gaurav Joseph Feb 16 '14 at 03:45
  • 1
    I'd love to see this updated to show explicit types instead of AddWithValue – Joel Coehoorn Feb 12 '16 at 17:02