Class ParameterSql

Represents a parameterized SQL query, encapsulating both the SQL command and its associated parameters.

Inheritance

System.Object

ParameterSql

Namespace: Syncfusion.Blazor.QueryBuilder

Assembly: Syncfusion.Blazor.dll

Syntax

public class ParameterSql : Object

Remarks

This class plays a crucial role in preventing SQL injection attacks by separating the SQL logic from the data. Implementations should ensure that user-provided values are passed as parameters rather than being concatenated directly into the SQL string. This is achieved by using the Sql property for the query string with placeholders and the Params property for the corresponding values.

Examples

The following example illustrates how to use this class to execute a secure database query with System.Data.SqlClient.

using System.Data.SqlClient;

// Define the SQL query with named parameters.
string queryString = "SELECT * FROM Users WHERE Username = @Username AND Password = @Password";

// Establish connection and command objects.
using (SqlConnection connection = new SqlConnection(connectionString))
{  
    SqlCommand command = new SqlCommand(queryString, connection);

    // Set parameter values.
    command.Parameters.AddWithValue("@Username", "testuser");
    command.Parameters.AddWithValue("@Password", "securepassword123");

    // Execute the query.
    connection.Open();
    using (SqlDataReader reader = command.ExecuteReader())
    {
        while (reader.Read())
        {
            // Process the results.
        }
    }
}

In this example, @Username and @Password are placeholders. This approach ensures that user input is treated as literal data, not executable SQL, thus preventing injection attacks.

Constructors

ParameterSql()

Declaration

public ParameterSql()

Properties

Params

Gets or sets an array of parameter values that correspond to the placeholders in the Sql query string.

Declaration

public object[] Params { get; set; }

Property Value

Type	Description
System.Object[]	An array of objects (`object[]`) containing the parameter values. The default is `null`.

Remarks

For positional placeholders, the order of values in this array must match the order of the placeholders in the Sql string. For named parameters, the mapping is typically handled by the database provider, but the order should still be maintained for clarity.

Sql

Gets or sets the SQL statement, which may contain parameter placeholders.

Declaration

public string Sql { get; set; }

Property Value

Type	Description
System.String	A `string` representing the SQL query. The default is `null`.

Remarks

The format of parameter placeholders (e.g., ? for positional or @name for named) depends on the specific database provider being used. An example with named parameters: "SELECT * FROM products WHERE ProductID = @ID".