sqlParameter

  • Thread starter Thread starter Tony Johansson
  • Start date Start date
T

Tony Johansson

Hello!

I just wonder when I supposed to use a SqlParameter in a SqlCommand I use
string.Format instead because it's much more straight forward and easier
I know about SQL injection.
My first question is if people bother to use this SqlParameter when they
have primitive data types because it's mush simpler to use string.format ?

In some cases it's nesessary to use SqlParameter and that is when you have
binary data types(BLOB).

So as a summary I only use sqlParameter when I have BLOB as the datatype in
all other cases I use string.format

//Tony
 
I just wonder when I supposed to use a SqlParameter in a SqlCommand I use
string.Format instead because it's much more straight forward and easier
I know about SQL injection.
My first question is if people bother to use this SqlParameter when they
have primitive data types because it's mush simpler to use string.format ?

In some cases it's nesessary to use SqlParameter and that is when you have
binary data types(BLOB).

So as a summary I only use sqlParameter when I have BLOB as the datatype in
all other cases I use string.format
Click to expand...

Always parameters for values.

It is the easiest and most verifiable way to protect against
SQL injection.

Use of String.Format would not make it through code review
in most companies.

Arne

PS: If you write a 50 line console app to load a CSV with
info about your CD collection into an Access database, then
I guess it is OK. But not for code that is intended to be used
in production in a company.
 
Arne Vajhøj said:
Always parameters for values.

It is the easiest and most verifiable way to protect against
SQL injection.

Use of String.Format would not make it through code review
in most companies.

Arne

PS: If you write a 50 line console app to load a CSV with
info about your CD collection into an Access database, then
I guess it is OK. But not for code that is intended to be used
in production in a company.
Click to expand...

I agree with you but I just wonder if I have a BLOB that I want to store in
the database is then the only solution to use Sqlparameter. I mean I just
tried with string.format when I had a Blob but I run into run time error.
I mean if I would to store types of primitive types I can use string.format
even if this is non the best solution.

So how is it when Blob which is binary types is the only solution to use
SqlParameter ?

//Tony
 
I agree with you but I just wonder if I have a BLOB that I want to store in
the database is then the only solution to use Sqlparameter. I mean I just
tried with string.format when I had a Blob but I run into run time error.
I mean if I would to store types of primitive types I can use string.format
even if this is non the best solution.

So how is it when Blob which is binary types is the only solution to use
SqlParameter ?
Click to expand...

As you said: a BLOB is binary.

SQL statements are text.

Unless the SQL dialect supports Hex or Base64 encoded binary literals
then it does not work.

Arne
 
Tony Johansson -snip-
I agree with you but I just wonder if I have a BLOB that I want to store in
the database is then the only solution to use Sqlparameter. I mean I just
tried with string.format when I had a Blob but I run into run time error.
I mean if I would to store types of primitive types I can use string.format
even if this is non the best solution.

So how is it when Blob which is binary types is the only solution to use
SqlParameter ?
Click to expand...

Nope. You could turn the binary into a hex string and then use
varbinary conversion in your SQL to turn it back into a binary on the
server.
 
Back
Top