Inserting Parameters Into ASP.Net SQL Query

Question

I'm trying to replace some old code that runs an SQL query, using C# and ASP.Net. The old code runs an elaborate function to build the query as a string. I'm replacing that with a GridView control and a SqlDataSource. The SqlDataSource contains a query that has two parameters: employee ID (EID) and a time range (DateFilter). This second filter is currently an expression:

and a.end_dt >= Dateadd(m, Datediff(m, 0, Dateadd(m, -1, current_timestamp)), 0) 

where the "-1" is really going to be the value of a drop-down control.

The problem: I'm unable to plug in the values for @EID and @DateFilter. If I just put the above code into the SQL query directly, it runs fine, getting results on the last month or so of events. If I try plugging that text into @DateFilter, I get a crash saying "Incorrect syntax near '@DateFilter'."

I'm kind of flying blind here because I can't get access to an EID that has at least one associated record, so I can't confirm whether @EID is even having its value replaced. But @DateFilter looks like it's not being replaced, judging from the syntax error.

The SqlDataSource has a parameter of "OnSelecting="DSTravel_Selecting"", meaning it calls that function just before running the Select statement built into it. The function is meant to do the variable replacements like so:

if(Session["eid"] == null) 
  { 
     e.Command.Parameters.Add(new SqlParameter("@EID", "null")); 
  }
 else 
  { 
     e.Command.Parameters.Add(new SqlParameter("@EID", Session["eid"])); 
  }

    filter = " " // For debugging. Should be the above-quoted expression.

     e.Command.Parameters.Add(new SqlParameter("@DateFilter", filter));

But that function just gives me the "incorrect syntax" error. I have also tried defining the parameters in advance, inside the tag:

<SelectParameters>
                                        <asp:Parameter Name="EID" Type="String" />
                                        <asp:Parameter Name="DateFilter" Type="String" />
                                    </SelectParameters>

But I'm having no more luck with that when I then try to reference those parameters in the C# function. What do I need to do to simply replace the two @ parameters with specific chunks of text determined in a function that runs just before the SQL query runs?

Oh, and the actual query in part is:

SelectCommand="select [various things] from [table] where a.record_locator IS NOT NULL and (a.eid='@EID' or 1=1) @DateFilter order by a.end_date;"

Answer 1

At the moment you Variable @DateFilter is being treated as a literal string rather than as a part of the sql command, you would need to concatenate this variable into a string and then use system stored procedure sp_executesql or key word Exec(@SqlQuery) to execute that string(command) .

A better way would be to use a stored procedure and do all this inside the procedure, you would get much better performance too.

CREATE PROCEDURE my_Proc
  @EID         VARCHAR(20) = NULL
,@DateFilter   DATE        = NULL
AS
BEGIN
  SET NOCOUNT ON;
  Declare @Sql NVARCHAR(MAX);

SET @Sql = N'select [various things] 
            from [table] 
            where record_locator IS NOT NULL '
         + CASE WHEN @EID IS NOT NULL 
           THEN N' AND eid = @EID ' ELSE N''END
         + CASE WHEN  @DateFilter IS NOT NULL
           THEN N' AND end_dt >= Dateadd(m, Datediff(m, 0, Dateadd(m, -1, current_timestamp)), 0)'
                ELSE N'' END

          + N' order by a.end_date;'

 Exec sp_executesql @Sql
                   ,N'@EID VARCHAR(20)'
                   ,@EID
END