Using SQL Server with .NET and System.Data.SqlClient

These examples focus on the C# language. If you're looking for VB.NET examples, try www.CodeProject.com.

Executing queries on a Microsoft SQL Server using SqlDataReader requires 3 basic objects (all of them in the System.Data.SqlClient namespace):

SqlConnection - Controls the actual connection to the SQL server.
SqlCommand - Controls queries and commands to be executed on the SqlConnection.
SqlDataReader - Provides unidirectional read access to the result sets returned by queries.

Stored Procedures vs. Dynamic SQL

If you control both the SQL server and the code accessing the server, I highly recommend that you use Stored Procedures ("sprocs") instead of dynamic SQL to service queries. Sprocs provide key advantages over dynamic SQL:

execution efficiency - sprocs are precompiled on the server, allowing the execution plan to be optimized and the SQL itself to be parsed ahead of time
security - if you only allow sproc execution and control parameters appropriately, arbitrary SQL execution is mitigated. Coupled with SSPI and proper security procedures (out of scope for this discussion), security is much better executing sprocs than plain SQL.
bandwidth - the SQL to be executed is not transmitted to the SQL server for each query

Coding guidelines

Before we get started, I want to stress some important considerations when coding your own versions of the sample code you see here.

Do not just copy and paste this code and expect it to work for you! I have made a moderate effort to ensure that the code is correct and fairly safe, but YMMV, and as part of your due diligence you should always understand every line of code and how it impacts your application's security, performance, etc.
You always need error and exception handling code--it goes hand-in-hand with the actual "mainline" code.
Please, for the love of all that is holy, do not catch System.Exception! If an exception is raised, you must handle only those exceptions you can recover from. Yes, it takes more work, but you will reap the benefits in increased security and performance ten-fold in any project of more than a few source files.

1. SqlConnection2. SqlCommand (sproc)3. SqlCommand (text)4. SqlCommand.NonQuery (ignore the result set!)5. SqlCommand.ExecuteReaderPrintable view

Opening a connection to the SQL Server

First things first. Before you do anything, you must create and open a connection to the SQL server that is going to be executing your query. To do this, you need to instantiate a SqlConnection object and set its ConnectionString property (you may do so in the constructor, if you like). ADO connection strings are documented a bit arcanely in the MSDN library, mainly due to their flexibility. 95% of the time you can get away with a simple connection string like this:

server=MyServer; database=MyDatabase; Integrated Security=SSPI

...or if you are using SQL security (bad! bad! bad!) instead of Windows Integrated security:

server=MyServer; database=MyDatabase; userid=MyUserID; password=MyPassword

Once you have created the SqlConnection, the next step is to open the connection. To do so, just call the Open() method on your SqlConnection object:

SqlConnection conn = new SqlConnection("server=MyServer; database=MyDatabase; Integrated Security=SSPI");
conn.Open();

After you are finished with the connection, close it! SQL connections are often limited in number by a license agreement, so you want to get in, get/send your data, and get out as soon as possible.

Creating a Stored Procedure SqlCommand

Now that you have an open connection to the server, you may execute SQL commands over that connection. The object used for this is the SqlCommand. In order to send a command, you must first tell the connection what type of command you are going to execute: a Stored Procedure, dynamic SQL (Text), or direct OLEDB table access. For the purposes of this exercise, we will be dealing with Stored Procedures ("sprocs") and dynamic SQL ("text") only, as direct table access is only used the the SqlDataAdapter class.

Instantiate your SqlCommand object (see Opening a connection to the SQL Server above) and set the proper CommandType:

SqlCommand cmd = new SqlCommand("SprocName", conn);
cmd.CommandType = CommandType.StoredProcedure;

Most sprocs need at least one input parameter, and some require output parameters to return scalar data as well. Parameters are stored in the SqlCommand's Parameters property. Here are some examples of adding parameters:

Notice the spStatus parameter? After you execute the command, you can obtain the output parameter from the sproc by getting the value of spStatus through its Value property.

Retrieving data with a SqlDataReader

Now that the command's parameters have been set, you can execute it! For commands that return one or more result set, you need to use a SqlDataReader to get the data. You get the reader by calling SqlCommand.ExecuteReader();

SqlDataReader reader = cmd.ExecuteReader();

SqlDataReader works like a forward-only, non-caching row reader. In other words, you get access to one row at a time, and you can only move forward. Since the whole point is to get the data quickly and close the connection, this is exactly what you need. Fortunately, the .NET Framework has dynamically-sized arrays available for use out-of-the-box. In the 1.0 and 1.1 Frameworks, you have the System.Collections.ArrayList. The 2.0 Framework adds generics support (similar to C++ templates), but that's out of scope for this sample.

A simple way to get the data:

This is certainly simple, but if you know the data types ahead of time, you can explictly retrieve the fields directly into your custom objects:

using System; 
using System.Data; 
using System.Data.SqlClient;

namespace Pegasi 
{
    class SqlSample
    {
        [STAThread]
        public static void Main(string[] args) 
        {
            SqlConnection conn = null; 
            SqlDataReader reader = null;
            ArrayList list = new ArrayList();
            try
            {
                conn = new  SqlConnection("server=mySqlServer;database=myDatabase;Integrated Security=SSPI");
                conn.Open();
                reader = cmd.ExecuteReader();
                int ixName = reader.GetOrdinal("Name");
                int ixCount = reader.GetOrdinal("Count");
                int ixStrength = reader.GetOrdinal("Strength");
                int ixDate = reader.GetOrdinal("Date");
                while (reader.Read())
                {
                    MyObject obj = new MyObject();
                    obj.Name = reader.GetString(ixName);
                    obj.Count = reader.GetInt32(ixCount);
                    obj.Strength = reader.GetFloat(ixStrength);
                    obj.Date = reader.GetDateTime(ixDate);
                    list.Add(obj);
                }
            }
            catch(SqlException ex)
            {
                Console.Error.WriteLine(ex.Message + ex.StackTrace);
                throw; // do not throw ex!  this is important for preserving InnerException and stack trace data
            }
            finally
            {
                if (null != reader)
                    reader.Close();
                if (null != conn)
                    conn.Close();
            }
        }    
    }
}

Do you have comments or questions about this page? I want to hear them!