Post

Dynamic Parameterized SQL Using ADO.NET With C#

Posted
By Ken Dale 1 min read

Here’s a C# solution for dynamic parameters inside a SQL string:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

var items = new[] { "a", "b", "c" };
var connection = new SqliteConnection($"Data Source={Filename}");
await connection.OpenAsync();

var parameters = items.Select((x, i) => Tuple.Create($"@{i}", x));

var command = connection.CreateCommand();
command.CommandText =
    $"select count(*) from TestTable where name in ({string.Join(",", parameters.Select(x => x.Item1))})";

foreach (var parameter in parameters)
{
    command.Parameters.AddWithValue(parameter.Item1, parameter.Item2);
}

var count = (long)await command.ExecuteScalarAsync();

Note: While it may be easier to inject the values directly into the string rather than constructing parameters, it’s a good idea to parameterize to prevent potential SQL injection attacks.

Full sample

See https://github.com/kendaleiv/CSharpDynamicSqlParameters for a full sample.

dotnet
This post is licensed under CC BY 4.0 by the author.