0

I currently have a method to see what type of object an input is and create a SQL input based on it, Like so: 

private static string PropertyToDBString(object o)
{
    Debug.Log(o.GetType());
    if (o == typeof(System.String) || o == typeof(string))
        return "'" + o.ToString() + "'";
    else if (o == typeof(System.Boolean) || o == typeof(bool))
        return ((System.Boolean)o) ? "1" : "0";

    return "'" + o.ToString() + "'";
}

But this does not seem to work, Everything returns as .toString() based, Boolean return as True/False, but the log is picking up the type as system.boolean. Like so:

enter image description here

I'm using SQLite and wondering if I should bother using proper data types, As limits don't exist and even the fact the boolean column is INT(1) on the DB but still stores True/False. Should I just use TEXT for everything.

Tristan Cunningham
  • 29
  • 4
  • 1
    I haven't done C# for a while, but `o == typeof` doesn't look right. Something like `o.type == typeof` makes more sense. See http://stackoverflow.com/questions/983030/type-checking-typeof-gettype-or-is – John3136 Aug 21 '16 at 06:57
  • If your question has been answered to your satisfaction, please choose an answer to close this question. Thanks! – Shannon Holsinger Aug 28 '16 at 16:38

2 Answers2

2

I currently have a method to see what type of object an input is and create a SQL input based on it

Don't do that. Use parameterized SQL instead. You should not be trying to format your values for use in SQL. This is almost always going to be a route to SQL injection attacks.

Now, as to the problem itself... you're checking whether o itself is typeof(bool) - whereas I suspect you want to check whether o.GetType() is typeof(bool).

Better yet, use the is operator:

if (o is string)
{
    return "'" + o + "'";
}
if (o is bool)
{
    bool value = (bool) o;
    return value ? "1" : "0";
}
// Are you sure you want this? I would throw an exception if you
// don't know what to do with the value...
return "'" + o + "'";
Jon Skeet
  • 1,421,763
  • 867
  • 9,128
  • 9,194
  • @TristanCunningham: It's very, very unclear what you're trying to do - but as I say, you shouldn't be trying to format SQL parameters. I suggest you consider creating a new question which gives more detail about how you're trying to use this, so we can help you use SQL parameters properly. – Jon Skeet Aug 21 '16 at 07:11
2

If you use parameters in your SQL, you don't need to worry about datatypes or single quotes.

For an insert, instead of:

com.CommandText = "Insert into MyTable (ID,Name,Birthday,Age) values (12,'Bob','01/01/1980',24)";

you do:

com.CommandText = "Insert into MyTable (ID,Name,Birthday,Age) values (@ID,@Name,@BD,@Age)";
    int ID = 12;
    string Name = "Bob";
    DateTime Birthday = new DateTime(1980, 1, 1, 0, 0, 0);
    Int Age = 24;
    com.Parameters.AddWithValue("@ID", ID);
    com.Parameters.AddWithValue("@Name", Name);
    com.Parameters.AddWthValue("@BD", Birthday);
    com.Parameters.AddWithValue("@Age", Age);

for a Boolean input, you can do:

bool isTrue = true;
    com.Parameters.AddWithValue("@isHappyCustomer",isTrue ? 1 : 0);

When using parameters, you don't NEED to use the same datatype as in the database - as long as the value itself will match the requirements of the database field. So you could send a string to a date like 

com.Parameters.AddWithValue("@date","1/1/2016");

for a date field, or 

com.Parameters.AddWithValue("@age","24");

for an int field. Though it's always a good idea to use the same data types and not rely on this conversion feature IMO.

Shannon Holsinger
  • 2,293
  • 1
  • 15
  • 21