I have the following snippet of code in my WCF web service that builds a set of where conditions according to the formatting of the values of a provided dictionary.
public static Dictionary<string, string>[] VehicleSearch(Dictionary<string, string> searchParams, int maxResults)
{
string condition = "";
foreach (string key in searchParams.Keys)
{
//Split out the conditional in case multiple options have been set (i.e. SUB;OLDS;TOY)
string[] parameters = searchParams[key].Split(';');
if (parameters.Length == 1)
{
//If a single condition (no choice list) check for wildcards and use a LIKE if necessary
string predicate = parameters[0].Contains('%') ? " AND {0} LIKE @{0}" : " AND {0} = @{0}";
condition += String.Format(predicate, key);
}
else
{
//If a choice list, split out query into an IN condition
condition += string.Format(" AND {0} IN({1})", key, string.Join(", ", parameters));
}
}
SqlCommand cmd = new SqlCommand(String.Format(VEHICLE_QUERY, maxResults, condition));
foreach (string key in searchParams.Keys)
cmd.Parameters.AddWithValue("@" + key, searchParams[key]);
cmd.Prepare();
Note that the values in the dictionary are explicitly set to strings and that they are the only items being sent into the AddWithValue
statements. This produces SQL like this:
SELECT TOP 200 MVINumber AS MVINumber
, LicensePlateNumber
, VIN
, VehicleYear
, MakeG
, ModelG
, Color
, Color2
FROM [Vehicle_Description_v]
WHERE 1=1 AND VIN LIKE @VIN
And errors out saying that
System.InvalidOperationException: SqlCommand.Prepare method requires all parameters to have an explicitly set type.
All searching that I have done says that I need to tell AddWithValue
the type of values that I'm preparing, but all of my prepared values are strings and all examples I've seen don't perform anything extra when they're dealing with strings. What am I missing?
Instead of this:
you need to use something like this:
You need to be able to somehow determine what datatype your parameters will have to be.
This can be something like:
SqlDbType.Int
for integer valuesSqlDbType.VarChar
for non-Unicode strings (don't forget the specify a length of the string!)SqlDbType.UniqueIdentifier
for Guidsetc.
Using
AddWithValue
is convenient - but it leaves it up to ADO.NET to guess the datatype, based on the value passed in. Most of the time, those guesses are pretty good - but at times, they can be off.I would recommend that you always explicitly say what datatype you want.
If you read the documentation, you'll see that when you're using SQLCommand.Prepare, you need to use Parameters.Add and assign a datatype to each parameter. There is a good code sample in that link that will show you how to do it.