SqlCommand.Prepare method requires all parameters

2019-02-23 13:20发布

I have the following snippet of code in my WCF web service that builds a set of where conditions according to the formatting of the values of a provided dictionary.

public static Dictionary<string, string>[] VehicleSearch(Dictionary<string, string> searchParams, int maxResults)
{
    string condition = "";
    foreach (string key in searchParams.Keys)
    {
        //Split out the conditional in case multiple options have been set (i.e. SUB;OLDS;TOY)
        string[] parameters = searchParams[key].Split(';');
        if (parameters.Length == 1)
        {
            //If a single condition (no choice list) check for wildcards and use a LIKE if necessary
            string predicate = parameters[0].Contains('%') ? " AND {0} LIKE @{0}" : " AND {0} = @{0}";
            condition += String.Format(predicate, key);
        }
        else
        {
            //If a choice list, split out query into an IN condition
            condition += string.Format(" AND {0} IN({1})", key, string.Join(", ", parameters));
        }
    }

    SqlCommand cmd = new SqlCommand(String.Format(VEHICLE_QUERY, maxResults, condition));
    foreach (string key in searchParams.Keys)
        cmd.Parameters.AddWithValue("@" + key, searchParams[key]);
    cmd.Prepare();

Note that the values in the dictionary are explicitly set to strings and that they are the only items being sent into the AddWithValue statements. This produces SQL like this:

SELECT TOP 200 MVINumber AS MVINumber
    , LicensePlateNumber
    , VIN
    , VehicleYear
    , MakeG
    , ModelG
    , Color
    , Color2
FROM [Vehicle_Description_v]
WHERE 1=1 AND VIN LIKE @VIN

And errors out saying that

System.InvalidOperationException: SqlCommand.Prepare method requires all parameters to have an explicitly set type.

All searching that I have done says that I need to tell AddWithValue the type of values that I'm preparing, but all of my prepared values are strings and all examples I've seen don't perform anything extra when they're dealing with strings. What am I missing?

2条回答
干净又极端
2楼-- · 2019-02-23 13:38

Instead of this:

cmd.Parameters.AddWithValue("@" + key, searchParams[key]);

you need to use something like this:

cmd.Parameters.Add("@" + key, SqlDbType.******).Value = searchParams[key];

You need to be able to somehow determine what datatype your parameters will have to be.

This can be something like:

  • SqlDbType.Int for integer values
  • SqlDbType.VarChar for non-Unicode strings (don't forget the specify a length of the string!)
  • SqlDbType.UniqueIdentifier for Guids
    etc.

Using AddWithValue is convenient - but it leaves it up to ADO.NET to guess the datatype, based on the value passed in. Most of the time, those guesses are pretty good - but at times, they can be off.

I would recommend that you always explicitly say what datatype you want.

查看更多
放我归山
3楼-- · 2019-02-23 13:48

If you read the documentation, you'll see that when you're using SQLCommand.Prepare, you need to use Parameters.Add and assign a datatype to each parameter. There is a good code sample in that link that will show you how to do it.

查看更多
登录 后发表回答