Why using command parameters?

  • Thread starter Thread starter BLUE
  • Start date Start date
B

BLUE

DbParameter dateAndTime = this.factory.CreateParameter();
dateAndTime.ParameterName = "@DateAndTime";
dateAndTime.DbType = DbType.DateTime;
string utcDtString = nameValueCollection.Get("dateAndTime").TrimEnd('Z');
dateAndTime.Value = DateTime.ParseExact(utcDtString, "s",
CultureInfo.InvariantCulture);

NumberFormatInfo nfi = new NumberFormatInfo();
nfi.NumberDecimalSeparator = ".";

DbParameter latitude = this.factory.CreateParameter();
latitude.ParameterName = "@Latitude";
latitude.DbType = DbType.Decimal;
latitude.Value = decimal.Parse(nameValueCollection.Get("latitude"), nfi);


If I do not set datetime in this way it will not be stored as UTC but
converted to my local timezone.

If I set latitude value with a string it gives me an error since I'm in
Italy and here the comma is used instead of the dot in decimal numbers.

Why using Parameters if I have to do all this work?
I can simply check fields before doing a query and then building the query
with "+" concatenation operator.


Thanks,
Luigi.
 
Well, for one, parameters virtually eliminate the chance of a SQL injection
attack. They also deal with the O'Malley issue and other parameter
formatting issues.

--
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest books:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition) and
Hitchhiker's Guide to SQL Server 2005 Compact Edition
 
Blue,

If you live in Italia and use a parse string like you do, than the sense of
globalisation is totaly useless. The simple parse has to do everyting.
Telling that you are using a fixed string and a variant from the English
language does not look for me direct the right way.

Then why to use parameters, beside the attack is it just much easier to work
with. What is easier than declaring your variables as you use to do in the
rest from your program and than to tell.

MyDateParameter = DateTime.TryParse(utcDtString) extra a ; with C#

http://msdn2.microsoft.com/en-us/library/ch92fbc1.aspx

You are using C#, however as soon as it becomes the server you seems to want
to use a kind of JavaScript for that.

Cor
..
 
The simple parse has to do everyting.
Telling that you are using a fixed string and a variant from the English
language does not look for me direct the right way.
Click to expand...

I forgot to say that I'm receiving XML data from a Web Service and I
validate it against a schema in which all strings are alphanumeric and
uppercase [0-9A-Z]: no SQL injection possible.

The business logic layer do validation and check app specific constraint
between data fields, then all is passed to the DAL as a nameValueCollection.

Datetime in xml is in ISO 8601 format not a variant from the English
language.
I remove the Z and use ParseExact because debugging I've seen that with
normal Parse my variable has a time in local format (string has time
09:30:01 and var 11:30:01 because of daylight saving).


It's obvious queries are more clear and elegant, but I've written 2*N where
N was the previous number of lines of code and in my case I've no benefit
(no sql injection problem, no variables in a program to use parameters since
I've only to store not do extra work) and I've always to parse things like I
did with strings.

MyDateParameter = DateTime.TryParse(utcDtString) extra a ; with C#
Click to expand...

"extra a ; with C#" what does this mean?
I know there is a Tryparse method but I do not know about "extra a"
statement.

You are using C#, however as soon as it becomes the server you seems to
want to use a kind of JavaScript for that
Click to expand...

Sorry but I do not unerstand: I do not want to use JavaScript and I cannot
use it on my web service nor in SQL Server as far as I know.


Thanks,
Luigi.
 
This newsgroup is for any program language however special for VB and C#

Therefore the sentence is valid for VB and C# but C# needs an ; at the end.
:-)

I expected that you did not know the TryParse therefore the link

In my idea is using a concatenated string with all kind of + more JavaScript
style, not C#.

Cor

BLUE said:
The simple parse has to do everyting.
Telling that you are using a fixed string and a variant from the English
language does not look for me direct the right way.
Click to expand...

I forgot to say that I'm receiving XML data from a Web Service and I
validate it against a schema in which all strings are alphanumeric and
uppercase [0-9A-Z]: no SQL injection possible.

The business logic layer do validation and check app specific constraint
between data fields, then all is passed to the DAL as a
nameValueCollection.

Datetime in xml is in ISO 8601 format not a variant from the English
language.
I remove the Z and use ParseExact because debugging I've seen that with
normal Parse my variable has a time in local format (string has time
09:30:01 and var 11:30:01 because of daylight saving).


It's obvious queries are more clear and elegant, but I've written 2*N
where N was the previous number of lines of code and in my case I've no
benefit (no sql injection problem, no variables in a program to use
parameters since I've only to store not do extra work) and I've always to
parse things like I did with strings.

MyDateParameter = DateTime.TryParse(utcDtString) extra a ; with C#
Click to expand...

"extra a ; with C#" what does this mean?
I know there is a Tryparse method but I do not know about "extra a"
statement.

You are using C#, however as soon as it becomes the server you seems to
want to use a kind of JavaScript for that
Click to expand...

Sorry but I do not unerstand: I do not want to use JavaScript and I cannot
use it on my web service nor in SQL Server as far as I know.


Thanks,
Luigi.
Click to expand...
 
Back
Top