Stored Proc w/ Parameters

Mark · Oct 16, 2003

I see two ways to fill a dataset with the results of a stored procedure:

1. Create a SqlCommand object with the text ...

....
sqlConn.Open();
String strSql = "exec p_my_sproc @intParam = " + intParam.ToString() ;
SqlCommand sqlComm = new SqlCommand(strSql,sqlConn);

or

2. Create a SqlCommand object using SqlParameter class.

What is going on behind the scenes that would make option 2 more worthwhile?
Under what circumstances?

Thanks in advance!
Mark

Ignacio Machin \( .NET/ C# MVP \) · Oct 16, 2003

Hi,

A few importants things in fact like:

1- You don't needs to filter the content of the parameters for SQL command,
this is something called code injectiion, in short it consist of setting a
parameter in such a way that the SQL engine interprete it as part of the
query. take a look at
http://www.nextgenss.com/papers/advanced_sql_injection.pdf for a much deeper
explanation.

2- You have to use the second construction when you want to pass certain
datatypes, as image ( I'm refering to the SQL image, do not confund it with
the framework Image) this is used when you want to store a file in the DB.

I sure there are other reasons, though.

Cheers,

Stored Proc w/ Parameters

Mark

Ignacio Machin \( .NET/ C# MVP \)