Parameterized queries v6.0.2.1

A parameterized query is a query with one or more parameter markers embedded in the SQL statement. Before executing a parameterized query, you must supply a value for each marker found in the text of the SQL statement.

Parameterized queries are useful when you don't know the complete text of a query when you write your code. For example, the value referenced in a WHERE clause can be calculated from user input.

As shown in the following example, you must declare the data type of each parameter specified in the parameterized query by creating an EDBParameter object and adding that object to the command's parameter collection. Then, you must specify a value for each parameter by calling the parameter's Value() function.

The example shows using a parameterized query with an UPDATE statement that increases an employee salary:

<% @ Page Language="C#" Debug="true"%>
<% @Import Namespace="EnterpriseDB.EDBClient" %>
<% @Import Namespace="System.Data" %>
<% @Import Namespace="System.Configuration" %>

<script language="C#" runat="server" >

private void Page_Load(object sender, System.EventArgs e)
{
  string strConnectionString = ConfigurationManager.AppSettings
  ["DB_CONN_STRING"];
  EDBConnection conn = new EDBConnection(strConnectionString);

  string updateQuery  = "UPDATE emp SET sal = sal+500 where empno = :ID";

  try {
      conn.Open();

      EDBCommand cmdUpdate = new EDBCommand(updateQuery,conn);

      cmdUpdate.Parameters.Add
      (new EDBParameter(":ID", EDBTypes.EDBDbType.Integer));

      cmdUpdate.Parameters[0].Value = 7788;

      cmdUpdate.ExecuteNonQuery();

      Response.Write("Record Updated");

  }
  catch(Exception exp) {
      Response.Write(exp.ToString());
  }
  finally {
      conn.Close();
  }
}
</script>

Save the sample code in a file named updateSalary.aspx in a web root directory.

To invoke the sample code, enter the following in a browser: http://localhost/updateSalary.aspx