troubleshooting Question

In C#.net how do I use SQL parameters with an ODBC connection

Avatar of wademi
wademi asked on
.NET ProgrammingC#Microsoft SQL Server 2005
7 Comments1 Solution4004 ViewsLast Modified:
I have an application that I have developed with C#.net and a SQL backend. I have a number of SQL update querys which requires input from users via a text box. I am using ODBC with a SQL driver to connect to my database. I am ODBC parameters in my query to handle user input via text box. This is to prevent database injection.

My parameters are like this.

string qryUpdateTitlte = @"update requests set requests.project_title =@updateTitle,change_user_ID = '" + user + "',change_date ='" + changedate() + "' where requests.id = '" + requestid + "'";
                        cmdUpdTitle = new OdbcCommand(qryUpdateTitlte, mysqlCon);
                        SqlParameter titleparam2 = new SqlParameter();
                        titleparam2.ParameterName = "@updateTitle";
                        titleparam2.Value = this.textBox1.Text;
                        cmdUpdTitle.Parameters.Add(titleparam2);
                        cmdUpdTitle.ExecuteNonQuery();

But everytime I execute this I get the following error.

The OdbcParameterCollection only accepts non-null OdbcParameter type objects, not SqlParameter objects.

Is there something wrong with they way I structure my parameters?
How do use SQL parameters if I am using ODBC with SQL driver.

if (pdid != 0)
                    {
                        string qryUpdateTitlte = @"update requests set requests.project_title =@updateTitle,change_user_ID = '" + user + "',change_date ='" + changedate() + "' where requests.id = '" + requestid + "'";
                        cmdUpdTitle = new OdbcCommand(qryUpdateTitlte, mysqlCon);
                        SqlParameter titleparam2 = new SqlParameter();
                        titleparam2.ParameterName = "@updateTitle";
                        titleparam2.Value = this.textBox1.Text;
                        cmdUpdTitle.Parameters.Add(titleparam2);
                        cmdUpdTitle.ExecuteNonQuery();
                        
                        qryUpdateDesc = @"update text_file set text_file.text_field =@projdescription,text_file.change_date = '" + changedate() + "', change_user_id ='" + user + "' where text_file.id = (Select requests.project_description_ID from requests where requests.id = '" + requestid + "')";
                        cmdUpddesc = new OdbcCommand(qryUpdateDesc, mysqlCon);
                        OdbcParameter descparam2 = new OdbcParameter();
                        descparam2.ParameterName = "@projdescription";
                        descparam2.Value = this.textBox2.Text;
                        cmdUpddesc.Parameters.Add(descparam2);
                        cmdUpddesc.ExecuteNonQuery();
                        
 
 
                    }
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 7 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros