Avatar of wademi
wademi asked on

In C#.net how do I use SQL parameters with an ODBC connection

I have an application that I have developed with C#.net and a SQL backend. I have a number of SQL update querys which requires input from users via a text box. I am using ODBC with a SQL driver to connect to my database. I am ODBC parameters in my query to handle user input via text box. This is to prevent database injection.

My parameters are like this.

string qryUpdateTitlte = @"update requests set requests.project_title =@updateTitle,change_user_ID = '" + user + "',change_date ='" + changedate() + "' where requests.id = '" + requestid + "'";
                        cmdUpdTitle = new OdbcCommand(qryUpdateTitlte, mysqlCon);
                        SqlParameter titleparam2 = new SqlParameter();
                        titleparam2.ParameterName = "@updateTitle";
                        titleparam2.Value = this.textBox1.Text;
                        cmdUpdTitle.Parameters.Add(titleparam2);
                        cmdUpdTitle.ExecuteNonQuery();

But everytime I execute this I get the following error.

The OdbcParameterCollection only accepts non-null OdbcParameter type objects, not SqlParameter objects.

Is there something wrong with they way I structure my parameters?
How do use SQL parameters if I am using ODBC with SQL driver.

if (pdid != 0)
                    {
                        string qryUpdateTitlte = @"update requests set requests.project_title =@updateTitle,change_user_ID = '" + user + "',change_date ='" + changedate() + "' where requests.id = '" + requestid + "'";
                        cmdUpdTitle = new OdbcCommand(qryUpdateTitlte, mysqlCon);
                        SqlParameter titleparam2 = new SqlParameter();
                        titleparam2.ParameterName = "@updateTitle";
                        titleparam2.Value = this.textBox1.Text;
                        cmdUpdTitle.Parameters.Add(titleparam2);
                        cmdUpdTitle.ExecuteNonQuery();
                        
                        qryUpdateDesc = @"update text_file set text_file.text_field =@projdescription,text_file.change_date = '" + changedate() + "', change_user_id ='" + user + "' where text_file.id = (Select requests.project_description_ID from requests where requests.id = '" + requestid + "')";
                        cmdUpddesc = new OdbcCommand(qryUpdateDesc, mysqlCon);
                        OdbcParameter descparam2 = new OdbcParameter();
                        descparam2.ParameterName = "@projdescription";
                        descparam2.Value = this.textBox2.Text;
                        cmdUpddesc.Parameters.Add(descparam2);
                        cmdUpddesc.ExecuteNonQuery();
                        
 
 
                    }

Open in new window

.NET ProgrammingMicrosoft SQL Server 2005C#

Avatar of undefined
Last Comment
rstomar

8/22/2022 - Mon
rstomar

Use ODBCParameter with ODBCCommand.

SQLParameter is for SQLCommand
dweppenaar

You will get much better performance and control if you use the SQL specific data accessor classes located in System.Data.SqlClient then the ODBC ones.
ASKER
wademi

HI RSTOMAR I am using ODBCCommand . I tried to use SqlParameter  before but I shanged it back to ODBC afterwards. I am still getting the error
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
rstomar

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
wademi

Thanks rstomar. You are the best.
rstomar

You are welcome.
rstomar

Please don't forget to accept the solution.
Thanks
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.