Mr Pike's Blog

 Diary of an ASP.NET bodger

Re-using the SQL Command

Due to a freaky table schema, I had cause today to loop through a 'recordset' and then insert an amalgamated string into a database (saving me doing a ridiculous loop later on).

I didn't see any reason to open a new SQL command once the datareader had done its job so I re-used the SQLCommand - which turned out a lot easier than I thought. Certainly a ton easier than the old recordset. After using the imports for data and data.sqlClient I simply:

Function get_description(ByVal hcode As String)

Dim myQry As String = "SELECT field1 from table where hcode='" & hcode & "'"
Dim mytemp_Conn As SqlConnection = New SqlConnection(myConn)
mytemp_Conn.Open()

Dim myCmd As New SqlCommand(myQry, mytemp_Conn)
Dim myDr2 As SqlDataReader
Dim Description As String = "" ' Description of the hotel
Dim tempString As String = ""

myDr2 = myCmd.ExecuteReader()

While myDr2.Read()

tempString = myDr2.Item(0) & " "
tempString = tempString.Replace("'", "''")
Description &= tempString

' Concatenate each of the freaky fields.

End While

myDr2.Close()

myQry = "Insert into tcHolidays.dbo.hotel_Descriptions (hcode, description) values ('" & hcode & "','" & Description & "')"

myCmd.CommandText = myQry
myCmd.ExecuteNonQuery()
mytemp_Conn.Close()

Console.WriteLine("Description: {0}", Description)

End Function

That was basically it! In classic I'd have had to have opened a new recordset - but now its simply wash-n-go :)

 

 

Posted: Jun 12 2003, 04:12 PM by Mr Pike | with 6 comment(s)
Filed under:

Comments

Bernard Vander Beken said:

Note that this code could be subject to SQL Injection. This could be solved by using the SqlParameters collection.
# June 12, 2003 7:15 AM

Kirk Allen Evans said:

I echo Bernard's sentiment about SQL injection, and offer 3 more points.

First, old ADO code could do the same without opening a recordset through Command.Execute or Connection.Execute, each with using the poorly documented adExecuteNoRecords option.

Second, you will get better performance by using a parameterized SQL statement by replacing the literal values with question marks and using parameters in place of the literal values. The parameters can then be reused as well, where you simply set the values during each iteration.

Third, you can enhance performance a little more if your provider supports the .Prepared property for the Command object. The .Prepared property pre-compiles the SQL statement and caches it, avoiding parses for invaalid SQL statements.

Great job on the post! We need to see more articles on everyday use with ADO.NET. Keep them coming!
# June 12, 2003 9:49 AM

TrackBack said:

Kirk Allen Evans' Blog
# June 12, 2003 11:12 AM

Damian Barrow said:

Does anyone have any examples of just how much quicker parametized queries are over inline?

# June 17, 2003 5:56 AM

Damian said:

You could just run the commandline shutdown computername /s

Do a google for running commandline arguments in C# - I'm a VB guy :P
# March 30, 2004 5:33 AM

img command said:

Pingback from  img command

# July 15, 2008 8:19 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)