Home/ Questions/Q 3950306
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T01:35:47+00:00

I have to upgrade the following code to use prepared statements: OdbcCommand cmd =

  • 0

I have to upgrade the following code to use prepared statements:

OdbcCommand cmd = sql.CreateCommand();
cmd.CommandText = "SELECT [EMail] from myTable WHERE "+,
for (int i = 0; i < 50; i++)
{
   if (i > 0)
   {
      cmd.CommandText += " OR ";
   }
   cmd.CommandText += "UNIQUE_ID = " + lUniqueIDS[i];
}

Forbid my stupid code above, it’s just an example… I’m trying to fetch all the Emails of users with IDs either x, y, z, etc…

The question is – how can I rewrite it using prepared statements?
A blind naive guess would be 

for (int i = 0; i < 50; i++)
{
   if (i > 0)
   {
      cmd.CommandText += " OR ";
   }
   cmd.CommandText += "UNIQUE_ID = ?";
   cmd.Parameters.Add("@UNIQUE_ID", OdbcType.BigInt).Value = lUniqueIDS[i];
}

Should it work? Can I append the same parameter (unique_id) more than once?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It looks like you’re using positional parameters (i.e. ? in the query, rather than @UNIQUE_ID) which means the names of the parameters shouldn’t matter as far as the SQL is concerned. However, I wouldn’t be entirely surprised to see the provider complain… and it may make diagnostics harder too. I suggest you use the index as a suffix:

    cmd.Parameters.Add("@UNIQUE_ID" + i, ObdcType.BigInt).Value = lUniqueIDs[i];
    • 0