How to make a parameterized SELECT query in C#?

Question

I'm trying to display data from a table in database using DataGridView and a parameterized query in C# and SQL Server.

So far, I have tried this code:

private void button1_Click(object sender, EventArgs e)
{
        SqlConnection con = new SqlConnection(@"Data Source=.\SQLEXPRESS01;Initial Catalog=Vagtplan;Integrated Security=True");

        SqlCommand cmd = new SqlCommand("SELECT Ansatte.ansatID = @ansat, Ansatte.Navn = @navn, Ansatte.Efternavn = @efternavn, Ansatte.Adresse = @adresse, Ansatte.Postnummer = @postnummer, Ansatte.Bynavn = @bynavn, Ansatte.Email = @email, Ansatte.Mobilnr = @mobilnr, Login_data.Brugertype = @brugertype FROM Ansatte INNER JOIN Login_data ON Ansatte.ansatID = Login_data.ansatID", con);

        cmd.Parameters.Add("@ansat", SqlDbType.Int);
        cmd.Parameters.Add("@navn", SqlDbType.VarChar);
        cmd.Parameters.Add("@eftervavn", SqlDbType.VarChar);
        cmd.Parameters.Add("@adresse", SqlDbType.VarChar);
        cmd.Parameters.Add("@postnummer", SqlDbType.Int);
        cmd.Parameters.Add("@bynavn", SqlDbType.VarChar);
        cmd.Parameters.Add("@email", SqlDbType.VarChar);
        cmd.Parameters.Add("@mobilnr", SqlDbType.Int);
        cmd.Parameters.Add("@brugertype", SqlDbType.VarChar);

        SqlDataAdapter sda = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        sda.Fill(dt);

        dataGridView2.DataSource = dt;
    }

But I get the following error:

Incorrect syntax near '='

How to fix it so I can select data using a parameterized query? Expected result is, that data will be displayed in a DataGridView.

Answer 1

You have a few things going on here, and I'll try to break down for you. Working with a database, you typically do a "select...from..." to get data and "insert into..." to add records to the tables.

Next, your query. A shortened version of yours.. The problem here is you are trying to assign the @ansat PARAMETER value INTO the Ansatte.ansatID field which is incorrect syntax context to begin with, but review on regardless.

SqlCommand cmd = new SqlCommand(
@"SELECT 
      Ansatte.ansatID = @ansat, 
      Ansatte.Navn = @navn, 
      Ansatte.Efternavn = @efternavn, 
      Ansatte.Adresse = @adresse...
   FROM 
      Ansatte 
         INNER JOIN Login_data 
            ON Ansatte.ansatID = Login_data.ansatID", con);

and then adding the parameters...

cmd.Parameters.Add("@ansat", SqlDbType.Int);
cmd.Parameters.Add("@navn", SqlDbType.VarChar);
cmd.Parameters.Add("@eftervavn", SqlDbType.VarChar);
cmd.Parameters.Add("@adresse", SqlDbType.VarChar);

Good you are using parameters, but you just DECLARED the parameters, you never assigned any actual values to them, which in essence is resulting in the following getting passed to the engine

SELECT 
      Ansatte.ansatID = , 
      Ansatte.Navn = , 
      Ansatte.Efternavn = , 
      Ansatte.Adresse = 
   FROM 
      Ansatte 
         INNER JOIN Login_data 
            ON Ansatte.ansatID = Login_data.ansatID

Hence probably your error for no value for the = sign. Now, to actually add the "Value" to your parameter... Your declaration appeared ok, just finish it with a value that could be a fixed value, from a window entry, config setting, whatever...

cmd.Parameters.Add("@ansat", SqlDbType.Int).Value = 123;
cmd.Parameters.Add("@navn", SqlDbType.VarChar).Value = "test";
cmd.Parameters.Add("@eftervavn", SqlDbType.VarChar).Value = "more";
cmd.Parameters.Add("@adresse", SqlDbType.VarChar).Value = "done";

which would result in a protected (non-sql-injection)

Now, what you might really be looking for. You have a table in your database that you want to pull information from. In this case, select the columns you WANT, not the values you want to SET. Just query. Ex:

SqlCommand cmd = new SqlCommand(
@"SELECT 
      Ansatte.ansatID, 
      Ansatte.Navn, 
      Ansatte.Efternavn, 
      Ansatte.Adresse, 
      Ansatte.Postnummer, 
      Ansatte.Bynavn, 
      Ansatte.Email, 
      Ansatte.Mobilnr, 
      Login_data.Brugertype
   FROM 
      Ansatte 
         INNER JOIN Login_data 
            ON Ansatte.ansatID = Login_data.ansatID", con);

If you run the above query, it will return all records that are in the database that have a matching ID between each respective table.

Now, tack on parameters to a SQL-SELECT query. Say you only wanted all names within a given PostNumber area. Add a WHERE condition for such field and parameterized value such as

   FROM 
      Ansatte 
         INNER JOIN Login_data 
            ON Ansatte.ansatID = Login_data.ansatID
   where
      Ansatte.Postnummer = @MyPostCriteria", con );
      

cmd.Parameters.Add("MyPostCriteria", SqlDbType.Int).Value = 11223;

Now, if you are trying to ADD a record TO the database, that would be an insert, and you can only do an insert into a single table at a time and might be something like below. You identify the table and columns you want to insert, and then the values in the same sequence as their corresponding sequence as added in parenthesis list at the top.. Then parameterize

SqlCommand cmd = new SqlCommand(
@"INSERT INTO Ansatte
   ( Navn,
     Efternavn,
     Adresse
   )
   values
   ( @parmForNavn,
     @parmForEfternavn,
     @parmForAdresse
   )", con);


    cmd.Parameters.Add("parmForNavn", SqlDbType.VarChar).Value = "test";
    cmd.Parameters.Add("parmForEfternavn", SqlDbType.VarChar).Value = "blah";
    cmd.Parameters.Add("parmForAdresse", SqlDbType.VarChar).Value = "123 some street";

Hopefully this can jump-start you into what you are trying to accomplish from either pulling data down from a database, or insert into.