C# Prepared Statements - @ sign (at / strudel sign) queries

Question

I Have a problem with a prepared statement in C#:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = ?";
cmd.Parameters.Add("@USER_ID", OdbcType.VarChar, 250).Value = email;

(of course email contains a valid email address, with @ sign).

This code returns a random error -

"The connection has been disabled" {"ERROR [01000] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]ConnectionWrite (send()). ERROR [08S01] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]General network error. Check your network documentation."}

However if I run my code without a prepared statement, meaning:

cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = '"+email+"'";

Everything works perfectly.

Maybe it's related to the fact that I have a @ sign in the parametrized value? I tend to think I'm not the first one trying to create a prepared statement with an email address...

I have no idea what's wrong! Other prepared statements work normally...

Can you please help? :) Thanks, Nili

Answer 1

Indeed, ODBC has its share of issues with supporting named parameters. However, certain usage of named parameters is possible.

For example, in your case the following syntax works:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = ?";
cmd.Parameters.Add("USER_ID", OdbcType.VarChar, 250).Value = email;

More tricky situation is when you don't have a unique match for the parameter like USER_ID = ?; e.g., when you want to use the IN operator in the WHERE clause.

Then the following syntax would do the job:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID IN (?, ?)";
cmd.Parameters.Add("?ID1", OdbcType.VarChar, 250).Value = email1;
cmd.Parameters.Add("?ID2", OdbcType.VarChar, 250).Value = email2;

Please note the usage of ? (question mark) instead of @ (at sign) within the parameter name. Although note that substitution of parameters' values in this case has nothing to do with their names, but only with their order with the parameters collection.

I hope this helps :-)

Answer 2

Use '@USER_ID' instead of '?' and all should work:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT UNIQUE_ID FROM userdetails WHERE USER_ID = @USER_ID";
cmd.Parameters.Add("@USER_ID", OdbcType.VarChar, 250).Value = email;

Answer 3

Is there a specific reason you're using OdbcCommand rather than using the SqlClient provider?

With the SqlClient provider, you should be using named parameters as others have suggested.

But according to MSDN:

The .NET Framework Data Provider for OLE DB and .NET Framework Data Provider for ODBC do not support named parameters for passing parameters to an SQL statement or a stored procedure. In this case, you must use the question mark (?) placeholder, as in the following example.

So I'm not sure named parameters will work in this case.