Class NamedParameterSql

Encapsulates the components of a parameterized SQL query, including the SQL string with named parameters and a dictionary of their corresponding values.

Inheritance

System.Object

NamedParameterSql

Namespace: Syncfusion.Blazor.QueryBuilder

Assembly: Syncfusion.Blazor.dll

Syntax

public class NamedParameterSql : Object

Remarks

This class promotes database security by enabling the use of parameterized queries, which is a key defense against SQL injection attacks. Parameterized queries separate SQL logic from user-provided data, ensuring that input is treated as literal values rather than executable code.

For instance, a typical ADO.NET implementation would look like this:

using System.Data.SqlClient;
// Define the SQL query with named parameters.
string queryString = "SELECT * FROM Users WHERE Username = @Username AND Password = @Password&quot;;
// Establish a connection and command.
using (var connection = new SqlConnection(connectionString))
{
var command = new SqlCommand(queryString, connection);
// Add parameters and their values.
command.Parameters.AddWithValue(&quot;@Username&quot;, username);
command.Parameters.AddWithValue(&quot;@Password&quot;, password);

// Execute the command.
connection.Open();
using (var reader = command.ExecuteReader())
{
    while (reader.Read())
    {
        // Process the results.
    }
}

}

In this pattern, @Username and @Password are placeholders that are safely replaced by the database driver. The NamedParameterSql class provides a structure for managing the Sql query string and its associated Params.

Examples

var queryDetails = new NamedParameterSql
{
    Sql = "UPDATE Products SET Price = @Price WHERE ProductID = @ID",
    Params = new Dictionary<string, object>
    {
        { "@Price", 19.99m },
        { "@ID", 101 }
    }
};

Constructors

NamedParameterSql()

Declaration

public NamedParameterSql()

Properties

Params

Gets or sets a dictionary that maps parameter names from the Sql string to their corresponding values.

Declaration

public Dictionary<string, object> Params { get; set; }

Property Value

Type	Description
System.Collections.Generic.Dictionary<System.String, System.Object>	A System.Collections.Generic.Dictionary<, > where the key is the parameter name (`string`) and the value is the parameter's value (`object`).

Remarks

Each key in this dictionary should correspond to a named parameter in the Sql property. The parameter name in the dictionary should match the placeholder in the SQL string, including any prefix like '@'.

Sql

Gets or sets the SQL query string, which may contain named parameter placeholders.

Declaration

public string Sql { get; set; }

Property Value

Type	Description
System.String	A `string` that represents the parameterized SQL query.

Remarks

This property holds the SQL command text. For security and reliability, it is recommended to use named placeholders (e.g., @parameterName) for any values that will be supplied by users. The actual values for these placeholders should be provided in the Params dictionary.