I have a table of people
Id | Name | Info
1 | Bob | some info
2 | Mark | some info
And I have a list of names in a string separated by commas which looks like:
"Mark, Bob, John"
I need an SQL command that would select all rows that match the names in the list.
Any idea how to do it?
It's in c# on wpf and the database is PostgreSQL if that matters.
In general case, you can try building parametrized query:
string names = "Mark, Bob, John";
string[] filters = names
.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries)
.Select(name => name.Trim())
.Where(name => !string.IsNullOrEmpty(name))
.ToArray();
//TODO: Put the right class instead of SqlConnection
using (var connection = new SqlConnection("ConnectionStringHere")) {
connection.Open();
using (var command = connection.CreateCommand()) {
command.Connection = connection;
command.CommandText =
$#"select *
from MyTable
where Name in ({string.Join(", ", filters.Select((name, i) => $"#prm_Name{i}"))})";
//TODO: Change AddWithValue into Add and provide the RDBMS type
for (int i = 0; i < filters.Length; ++i)
command.Parameters.AddWithValue($"#prm_Name{i}", filters[i]);
using (var reader = command.ExecuteReader()) {
...
}
}
}
create an ad-hoc query from your name string like:
string Names = "Mark, Bob, John";
//Step 1: add quotes to Names
var names = Names.Split(',').Select(x => $"'{x}'").ToList();
//Step 2: Join Quoted Names
var result = String.Join(",", names.ToArray());
//Step 3 Create Ad hoc query
string query = $"SELECT * FROM people WHERE NAME IN ({result})";
I need an SQL command that would select all rows that match the names in the list.
How about IN?
SELECT * FROM People WHERE Name IN ('Mark', 'Bob', 'John')
You should take the string apart with C# first. There are many different ways to do the loop, but after you substring the names, place them in an array or a list or something. Within the loop, look for the names using the LIKE clause.
'SELECT *
FROM myTable
WHERE LOWER(nameField) LIKE LOWER(%' + variable + '%)';
Not sure how you're building your SQL but if you are using a string it would look kind of like this. You can take out the LIKE if you're only looking for direct matches. Its better to place all values in either lowercase or uppercase to make sure you're getting them UNLESS you know FOR SURE you want Mark not mark or MARK etc. I do not know C#, so I am sure there's a much better way, with adding parts of an array together with commas and such to use the IN operator.
Related
I have a table with a lot of employees in it, every person has a Name column with their full name.
I then want to do a query similar to this when searching for people:
SELECT * FROM Employees WHERE Name LIKE '%' + #value1 + '%' AND Name LIKE '%' + #value2 +'%' AND so forth...
for an arbitrary array of values.
My Dapper code would look something like this:
public IEnumerable<Employee> Search(string[] words)
{
using var connection = CreateConnection();
connection.Query<Employee>("SELECT * etc.", words);
}
Is there ANY way to do this with SQL without resorting to string concatenation, and the risk of SQL Injection attacks that follows?
Caveat: I don't know how Dapper actually passes an array to the query, which limits my creative ideas for working around this :-D
And also: Changing the Table structure is, unfortunately, out of the question. And I'd rather avoid fetching every single person into .Net memory and doing the filtering there.
Is there ANY way to do this with SQL without resorting to string concatenation, and the risk of SQL Injection attacks that follows?
Because the set of where conditions is not fixed you will need to build the query dynamically. But that does not mean you cannot parameterise the query, you just build the parameter list alongside building the query. Each time a word from the list add to the condition and add a parameter.
As Dapper doesn't directly include anything that takes a collection of DbParameter, consider using ADO.NET to get an IDataReader and then Dappter's
IEnumerable<T> Parse<T>(this IDataReader reader)
for the mapping.
Such a builder would be very roughly
var n = 0;
for (criterion in cirteria) {
var cond = $"{crition.column} like #p{n}";
var p = new SqlPatameter($"#p{n}", $"%{crition.value}%";
conditions.Add(cond);
cmd.Parameters.Add(p);
}
var sql = "select whetever from table where " + String.Join(" and ", conditions);
cmd.CommandText = sql;
var reader = await cmd.ExecuteReaderAsync();
var res = reader.Parse<TResult>();
For performance reasons, it's much better to do this as a set-based operation.
You can pass through a datatable as a Table-Value Parameter, then join on that with LIKE as the condition. In this case you want all values to match, so you need a little bit of relational division.
First create your table type:
CREATE TYPE dbo.StringList AS TABLE (str varchar(100) NOT NULL);
Your SQL is as follows:
SELECT *
FROM Employees e
WHERE NOT EXISTS (SELECT 1
FROM #words w
WHERE e.Name NOT LIKE '%' + w.str + '%' ESCAPE '/' -- if you want to escape wildcards you need to add ESCAPE
);
Then you pass through the list as follows:
public IEnumerable<Employee> Search(string[] words)
{
var table = new DataTable{ Columns = {
{"str", typeof(string)},
} };
foreach (var word in words)
table.Rows.Add(SqlLikeEscape(word)); // make a function that escapes wildcards
using var connection = CreateConnection();
return connection.Query<Employee>(yourQueryHere, new
{
words = table.AsTableValuedParameter("dbo.StringList"),
});
}
I'm running the following query
cmd = new SqlCommand("SELECT * FROM addresses WHERE identifier NOT IN(#notIn)", _connector.getMsConnection());
When I view the value notIn and copy this query I get an empty result on my database (which I'm expecting). However when I'm running this code I get 6 results. The content of string notIN is for example
string notIn = "'201619011124027899693E8M2S3WOCKT9G6KHE11' ,'201619011124027899693E8M2S3WOCKT9G6KHE12'"
which combined with
SELECT *
FROM addresses
WHERE identifier NOT IN(#notIn)
Should create
SELECT *
FROM addresses
WHERE identifier NOT IN ('201619011124027899693E8M2S3WOCKT9G6KHE11',
'201619011124027899693E8M2S3WOCKT9G6KHE12' )
which runs as expected.
it should be like this:
cmd = new SqlCommand(string.Format("SELECT * FROM addresses WHERE identifier NOT IN({0})", notIn), _connector.getMsConnection());
This way the value of notIn will be concat to your string query.
Contrary to what the other answers say, concatenating the string to build the SQL is a bad idea, especially since the input values are strings. You open yourself up to SQL injection attacks.
You should be generating multiple parameters for each item in your list.
For example, if you have the input input:
var notIn = new[] { "A1", "B2", "C3" }
You'd want something like
for(var i = 0; i < notIn.Length; i++)
command.AddParamWithValue("p"+i, notIn);
And then you can build the SQL with concatenation (note that we are not concatenating an input here)
var sql = "SELECT * FROM addresses WHERE identifier NOT IN(" + string.Join(",", notIn.Select(i,v) => { "#p" + i; }) + ")";
Which then would look like:
SELECT * FROM addresses WHERE identifier NOT IN (#p0,#p1,#p2)
Alternatively, you could dump the values into a temporary table and do a join.
Note that the above is pseudocode, and may not compile verbatim, but should give you the right idea about how to procede.
It's because, you passed the #notIn as a whole string, which means, the SQL server see it as:
SELECT * FROM addresses WHERE identifier NOT IN('''201619011124027899693E8M2S3WOCKT9G6KHE11'',''201619011124027899693E8M2S3WOCKT9G6KHE12''')
So you got empty result
Try changing the "not in" to where clause and generate the where with C#:
string selectStatement = "SELECT * FROM addresses WHERE";
selectStatement += " identifier != '201619011124027899693E8M2S3WOCKT9G6KHE11' and identifier != '201619011124027899693E8M2S3WOCKT9G6KHE12'";
Or if you really want to use parameterized SQL, try doing it in stored procedure instead.
First off I'd like to apologize if this is more of a question than an example but I'm really lost here. I have a Windows Form that loads info from a text file. In each text file there is all the cities and counties in a given state, each section is separated by the .Split. I have a SQL Server 2008 database, 2 columns, Name and type. What I'd like to do is take all of the information and add it too individual rows with the name column being the name and the type column being state or county. Here is how I have the information split. How would I add a new row for each entry in the text?
void PopulateZones()
{
ofdFile.Filter = "Text File (.txt)|*.txt|All Files (*.*|*.*";
ofdFile.FilterIndex = 1;
ofdFile.Multiselect = true;
ofdFile.FileName = String.Empty;
if (ofdFile.ShowDialog() == DialogResult.OK)
{
ofdFileLocTextBox.Text = ofdFile.FileName.ToString();
string groups = File.ReadAllText(ofdFile.FileName);
string[] parts = groups.Split(new char[] { '*' }, StringSplitOptions.RemoveEmptyEntries);
stateTextBox.Text = parts[0];
citiesTextBox.Text = parts[1];
countiesTextBox.Text = parts[2];
AddtoSQL(parts[0], parts[1]);
}
}
void AddtoSQL(string cities, string counties)
{
Sqlconnection conn = new SqlConnection(connString)
Sqlcommand comm = new Sqlcommand("INSERT into [Table] (Name, Type) Values (#Name, #Type))";
comm.Parameters.Add(#Name, each line of textbox);
comm.Parameters.Add(#Type, City or County);
comm.ExecuteNonQuery();
}
So, the first problem you have is that your code is not doing what you think it does.The big problem is that you are reading in all the text and then only ever selecting the first three values of it.You don't give the format of your data, but suppose it looks like this:
Scotland*Edinburgh*Midlothian*
Scotland*Perth*Perthshire*
Your code
string groups = File.ReadAllText(ofdFile.FileName);
Reads the whole file into one string, such that it will look like this
Scotland*Edinburgh*Midlothian*\r\nScotland*Perth*Perthshire*
So splitting it using the following
string[] parts = groups.Split(new char[] { '*' },
StringSplitOptions.RemoveEmptyEntries);
gives you a string array of 6 parts. Inserting multiple lines from this is doable but won't be very neat. You'd be much better to read your text files in by lines, and then iterate over the array of lines, splitting each one as you go and then adding the relevant parts to SQL. Something like
string[] lines = System.IO.File.ReadAllLines(ofdFile.FileName);
foreach (var line in lines)
{
string[] parts = line.Split('*');
AddtoSQL(parts[0], parts[1]);
}
That should insert all the data, but as an aside, if you are looking to execute numerous inserts at once, I'd recommend housing those inserts inside of a SQL Transaction.
I'd direct you to have a look at this MSDN article on the SqlTransaction Class
The gist of it is that you declare a transaction first, then loop over your inserts executing those against the transaction. Finally, when you commit your transaction the queries are all written to the database en mass. The reason I'd do this is that it will be much quicker and safer.
Does it work if you change your sql statement into "insert into [table] (name, type) values(#name, #type)"? with the bracket.
In SQL Server 2008 you can insert multiple line (records) with one query. All you need to do is a loop to extract row values and construct query string. So in AddToSQL method make your query like:
INSERT INTO [Table](Name, Type)
VALUES ('First',State1),
('Second',State2),
('Third',State3),
('Fourth',State4),
Insert Multiple Records Using One Insert Statement
That's what I tried & failed:
string sql = "... WHERE [personID] IN (#sqlIn) ...";
string sqlIn = "1,2,3,4,5";
SqlCeCommand cmd.Parameters.Add("#sqlIn", SqlDbType.NText).Value = sqlIn;
SqlCeDataAdapter da = new SqlCeDataAdapter(cmd);
da.Fill(ds); // > Error
Error details:
The ntext and image data types cannot be used in WHERE, HAVING, GROUP BY, ON, or IN clauses, except when these data types are used with the LIKE or IS NULL predicates.
Can't I pass all the IDs as one parameter? Should I add one by one all IDs?
P.S: Notice SqlCE
You can't parameterise that as a single parameter. Your query is doing an "in" on a single value, so is essentially:
... Where personId = '1,2,3,4,5'
(give or take a parameter). This is usually also an invalid or sub-optimal equality test, and certainly isn't what you were trying to query.
Options;
use raw concatenation: often involves a SQL injection risk, and allows poor query plan re-use
on full SQL server: use a UDF to split a single param
on full SQL server, use a TVP
add parameters dynamically, and add the various #param3 etc to the TSQL
The last is the most reliable, and "dapper-dot-net" has a feature built in to do this for you (since it is commonly needed):
int[] ids = ...
var rows = conn.Query<SomeType>(
#"... Where Id in #ids",
new { ids }).ToList();
This, when run via dapper-dot-net, will add a parameter per item in "ids", giving it the right value etc, and fixing the SQL so it executes, for example:
"... Where Id in (#ids0, #ids1, #ids2)"
(if there were 3 items in "ids")
You'll need to split the sqlIn string by comma, convert each to an integer, and build the IN statement manually.
string sqlIn = "1,2,3,4,5";
string inParams = sqlIn.Split(',');
List<string> paramNames = new List<string>();
for(var i = 0; i < inParams.Length; ++i){
string paramName = "#param" + i.ToString();
SqlCeCommand cmd.Parameters.Add(paramName, SqlDbType.Int).Value = int.Parse(inParams[i]);
paramNames.Add(paramName);
}
string sql = "... WHERE [personID] IN (" +
string.Join(",", paramNames) +
") ...";
I want to delete multiple records from access database using array.
The array is loaded dynamically from file names.
Then i query the database, and see if the database column values are matching with the array values, if not then delete it, if matches then do not delete it.
the problem is that:
Following is the code that deletes all records irrespective of the where in Condition.
arrays = Directory.GetFiles(sdira, "*", SearchOption.AllDirectories).Select(x => Path.GetFileName(x)).ToArray();
fnames.AddRange(arrays);
here I have use also for loop but that also didnt help me out :( like for(int u = 0; u < arrays.length; u++) { oledbcommand sqlcmd = new oledbcommand ("delete from table1 where name not in ("'+arrays[u]+"')",sqlconnection);
I am using this one currently foreach(string name in arrays)
{
OleDbCommand sqlcmd = new OleDbCommand("delete from table1 where name not in ('" + name + "')", sqlconnection);
sqlcmd.ExecuteNonQuery(); }`
One problem is that your code is confusing.
string [] a = {"" 'a.jpg', 'b.jpg', 'c.jpg' "}
First, you have double " in the beginning,should only be one.
string [] a = {" 'a.jpg', 'b.jpg', 'c.jpg' "}
Then this created a string array with one element,
a[0] = "'a.jpg', 'b.jpg', 'c.jpg'";
Then you do a foreach on this which natuarly ony executes once resulting in this query:
delete from table1 where name not in ('a.jpg', 'b.jpg', 'c.jpg')
But when you load the array dynamically you probably get this array
a[0] = 'a.jpg';
a[1] = 'b.jpg';
a[1] = 'c.jpg';
which will execute 3 times in the foreach resulting in the following 3 queries
delete from table1 where name not in ('a.jpg')
delete from table1 where name not in ('b.jpg')
delete from table1 where name not in ('c.jpg')
After the second one the table will be empty.
You should try this instead:
string[] names = { "a.jpg", "b.jpg","c.jpg","j.jpg" };
string allNames = "'" + String.Join("','", names) + "'";
OleDbCommand sqlcmd = new OleDbCommand("delete from table1 where name not in (" + allNames + ")", sqlconnection);
sqlcmd.ExecuteNonQuery();
Where names is created dynamically ofcause and this will result in the following query matching your test:
delete from table1 where name not in ('a.jpg', 'b.jpg', 'c.jpg')
My preferred way to dynamically fill an array is to use a list instead as a pure array is fixed in size and any change needs to create a new array.
You can loop over a list as eacy as an array.
List<string> names = new List<string>();
//or user var keyword
var names = new List<string>();
Then just use add method to add elements, loop this as needed.
names.Add(filename);
Then for the concatenation:
string allNames = "'" + String.Join("','", names.ToArray()) + "'";
And you are done.
Or you could use
string[] filePaths = Directory.GetFiles(#"c:\MyDir\", "*.jpg");
string[] names = filePaths.ToList().ConvertAll(n => n.Substring(n.LastIndexOf(#"\") + 1)).ToArray();
posting my comment as a answer
your string is not reading in 4 entries, its reading one entry of
string names = " 'a.jpg', 'b.jpg','c.jpg','j.jpg' ";
it should be
string[] names = { "a.jpg", "b.jpg","c.jpg","j.jpg" };
before your for each had a count of 1 now it should have a count of 4 with the actual values
Edit:
Not a lot of effort in this solution i must admit but if you want dynamic input could do something like:
string name = " 'a.jpg', 'b.jpg','c.jpg','j.jpg' ";
string[] names = name.Split(',').Select(x => x.Trim(' ').Trim('\'')).ToArray();
will update later if i get the change as the trims are not good atm
For populating it, if you want it as enumerable a example could be something like
IEnumerable<string> filelocations = Directory.GetFiles(sourceDirectory, "*", SearchOption.AllDirectories).Select(x => Path.GetFileName(x));
or for string array
string [] lok = Directory.GetFiles(sourceDirectory, "*", SearchOption.AllDirectories).Select(x => Path.GetFileName(x)).ToArray();
Sounds like you're either not reading the file correctly or the file is empty. You should be checking the array to make sure it's not empty before running the operation against the database. If the array is empty, it SHOULD delete everything in the database as there are no matches.
You need to define the array like this:
string[] names = { "a.jpg", "b.jpg", "c.jpg", "j.jpg" };
the way you are defining the array it contains only one value:
" 'a.jpg', 'b.jpg','c.jpg','j.jpg' "
The code in your comment will delete any files not matching the first file. that would be all non 'a.jpg' files. The next iteration will delete all files that don't match 'b.jpg' which would be 'a.jpg'. This results in an empty table. Edit: The array declaration you have generates a good IN clause when you do it manually, but when you're getting a list of filenames, you're not generating this same string.
You need to perform a join on the array to generate a single string for your where clause that way the where clause includes all files. Your ultimate where clause should look like:
where name not in ('a.jpg','b.jpg','c.jpg','d.jpg')
Right now you have:
where name not in ('a.jpg')
... next iteration
where name not in ('b.jpg')
Also, be mindful that IN operations are expensive and the longer the array is the faster the query grows.
Try using a list if you don't want to create a static sized array
List<string> names = new List<string>();
names.Add("a.jpg");
names.Add("b.jpg");
names.Add("c.jpg");
foreach (string name in names)
{
OleDbCommand sqlcmd = new OleDbCommand("delete from table1
where name not in (" + name + ")",
sqlconnection);
sqlcmd.ExecuteNonQuery();
}