MS SQL - Parameterized Query with Dynamic Number of Parameters

Question

Right now I am using the following code to generate the WHERE clause in my query. I have a parameter for the search column (searchColumn) plus another parameter from a checked listbox that I use.

If no item is checked there is no WHERE clause at all.

Is it possible to put this into a parameterized query? For the second part there's most likely a way like searchColumn NOT IN ( ... ) where ... ist the data from an array. Though I am not sure how to handle the case when there's nothing checked at all.

Any thoughts or links on this?

strWhereClause = "";
foreach (object objSelected in clbxFilter.CheckedItems)
{
     string strSearch = clbxFilter.GetItemText(objSelected);

     if (strWhereClause.Length == 0)
     {
         strWhereClause += "WHERE (" + searchColumn + " = '" + strSearch + "' "
         + "OR " + searchColumn + " = '" + strSearch + "') ";
     }
     else
     {
     strWhereClause += "OR (" searchColumn " = '" + strSearch + "' "
                                           + "OR " + searchColumn + " = '" + strSearch + "') ";
     }
}

Answer 1

It sounds like you're just trying to dynamically build a parameterized query string using C#. You're halfway there with your code - my example below builds up a dictionary with paramter names and parameter values, which you can then use to create SqlParamter s. One thing I'm not 100% sure about is where searchColumn is coming from - is this generated from user input? That could be dangerous, and parameterizing that would require using some dynamic SQL and probably some validation on your part.

strWhereClause = "";
Dictionary<string, string> sqlParams = new Dictionary<string, string>();
int i = 1;
string paramName= "@p" + i.ToString(); // first iteration: "@p1"
foreach (object objSelected in clbxFilter.CheckedItems)
{
     string strSearch = clbxFilter.GetItemText(objSelected);

     if (strWhereClause.Length == 0)
     {
         strWhereClause += "WHERE (thisyear." + strKB + " = @p1 OR " + searchColumn + " = @p1) ";
         sqlParams.Add(paramName, strSearch);
         i = 2;
     }
     else
     {
         paramName = "@p" + i.ToString(); // "@p2", "@p3", etc.
         strWhereClause += "OR (" searchColumn " = " + paramName + " "OR " + searchColumn + " = " + paramName + ") ";
        sqlParams.Add(paramName, strSearch);
        i++;
     }
}

Then, when parameterizing your query, just loop through your dictionary.

if (sqlParams.Count != 0 && strWhereclause.Length != 0)
{
  foreach(KeyValuePair<string, string> kvp in sqlParams)
  {
    command.Parameters.Add(new SqlParamter(kvp.Name, SqlDbType.VarChar) { Value = kvp.Value; });
  }
}

Answer 2

For reference only：

    string strWhereClause;
    string searchColumn;
    string strKB;
    SqlCommand cmd = new SqlCommand();
    private void button1_Click(object sender, EventArgs e)
    {
        strWhereClause = "";
        int ParmCount = 0;         
        foreach (object objSelected in clbxFilter.CheckedItems)
        {
            string strSearch = clbxFilter.GetItemText(objSelected);
            ParmCount += 1;
            string strParamName = "@Param" + ParmCount.ToString(); //Param1→ParamN
            cmd.Parameters.Add(strParamName, SqlDbType.NVarChar);
            cmd.Parameters[strParamName].Value = strSearch;
            if (strWhereClause.Length == 0)
            {
                strWhereClause += "WHERE (thisyear." + strKB + " = " + strParamName + " "
                               + "OR " + searchColumn + " = " + strParamName + ") ";
            }
            else
            {
                strWhereClause += "OR (thisyear." + strKB + " = " + strParamName + " "
                               + "OR " + searchColumn + " = " + strParamName + ") ";
            }
        }
    }