SqlParameters

  • Thread starter Thread starter Gav
  • Start date Start date
G

Gav

Hi All,

Can somebody tell me the advantage of using SqlParameters over simple
putting the paratmeters in the sql string: ie

Getsomething(int nSomeNumber)
{
string sSqlStatement= "Select * From SomeTable Where index = " +
nSomeNumber.ToString();
SqlCommand ....etc
}

vs

Getsomething(int nSomeNumber)
{
string sSqlStatement= "Select * From SomeTable Where index = @Number";
SqlCommand ....etc
SqlParameter prmNumber = new SqlParameter (...etc (well you know how the
rest goes anyway))

}

Cheers
Gav

PS if I'm using SqlParameters how easy is it to change the values and rerun
the command?
 
Gav,

By using the parameters, you get a number of things:

- Type safety
- Length checking
- Proper conversion to the representation of the type in the query language
- Guards against SQL injection attacks

All of these things make paramters a much better alternative. If you
are going to use parameters, changing the values is a snap, just change the
Value property on the parameter to the new value, and execute the command.

Hope this helps.
 
Great info, thanks for the reply.

Regards
Gav

Nicholas Paldino said:
Gav,

By using the parameters, you get a number of things:

- Type safety
- Length checking
- Proper conversion to the representation of the type in the query language
- Guards against SQL injection attacks

All of these things make paramters a much better alternative. If you
are going to use parameters, changing the values is a snap, just change the
Value property on the parameter to the new value, and execute the command.

Hope this helps.

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Gav said:
Hi All,

Can somebody tell me the advantage of using SqlParameters over simple
putting the paratmeters in the sql string: ie

Getsomething(int nSomeNumber)
{
string sSqlStatement= "Select * From SomeTable Where index = " +
nSomeNumber.ToString();
SqlCommand ....etc
}

vs

Getsomething(int nSomeNumber)
{
string sSqlStatement= "Select * From SomeTable Where index = @Number";
SqlCommand ....etc
SqlParameter prmNumber = new SqlParameter (...etc (well you know how the
rest goes anyway))

}

Cheers
Gav

PS if I'm using SqlParameters how easy is it to change the values and rerun
the command?
Click to expand...
Click to expand...
 
In addition to what Nic mentioned, I believe that they allow you to use a
cached execution plan as well.
 
William,

Actually, calling the Prepare method will cause the execution plan to be
cached.
 
Back
Top