Class NamedParameterSql

Encapsulates the components of a parameterized SQL query, including the SQL string with named parameters and a dictionary of their corresponding values.

Inheritance

object

NamedParameterSql

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Namespace: Syncfusion.Blazor.QueryBuilder

Assembly: Syncfusion.Blazor.dll

Syntax

public class NamedParameterSql

Remarks

This class promotes database security by enabling the use of parameterized queries, which is a key defense against SQL injection attacks. Parameterized queries separate SQL logic from user-provided data, ensuring that input is treated as literal values rather than executable code.

For instance, a typical ADO.NET implementation would look like this:

using System.Data.SqlClient;

// Define the SQL query with named parameters.
string queryString = "SELECT * FROM Users WHERE Username = @Username AND Password = @Password";

// Establish a connection and command.
using (var connection = new SqlConnection(connectionString))
{
    var command = new SqlCommand(queryString, connection);

    // Add parameters and their values.
    command.Parameters.AddWithValue("@Username", username);
    command.Parameters.AddWithValue("@Password", password);

    // Execute the command.
    connection.Open();
    using (var reader = command.ExecuteReader())
    {
        while (reader.Read())
        {
            // Process the results.
        }
    }
}

In this pattern, @Username and @Password are placeholders that are safely replaced by the database driver. The NamedParameterSql class provides a structure for managing the Sql query string and its associated Params.

Examples

var queryDetails = new NamedParameterSql
{
    Sql = "UPDATE Products SET Price = @Price WHERE ProductID = @ID",
    Params = new Dictionary<string, object>
    {
        { "@Price", 19.99m },
        { "@ID", 101 }
    }
};

Constructors

NamedParameterSql()

Declaration

public NamedParameterSql()

Properties

Params

Gets or sets a dictionary that maps parameter names from the Sql string to their corresponding values.

Declaration

public Dictionary<string, object> Params { get; set; }

Property Value

Type	Description
Dictionary<string, object>	A Dictionary<TKey, TValue> where the key is the parameter name (`string`) and the value is the parameter's value (`object`).

Remarks

Each key in this dictionary should correspond to a named parameter in the Sql property. The parameter name in the dictionary should match the placeholder in the SQL string, including any prefix like '@'.

Sql

Gets or sets the SQL query string, which may contain named parameter placeholders.

Declaration

public string Sql { get; set; }

Property Value

Type	Description
string	A `string` that represents the parameterized SQL query.

Remarks

This property holds the SQL command text. For security and reliability, it is recommended to use named placeholders (e.g., @parameterName) for any values that will be supplied by users. The actual values for these placeholders should be provided in the Params dictionary.