What is passing parameters to SQL and why do I need it?

by

Passing parameters to SQL saves you from having to build a dynamic SQL string.

Building dynamic SQL statements is a HUGE security risk because people can inject their own SQL code into your application, possibly executing undesirable commands against your data.

There are some good samples of possible SQL Injection attacks at:

SQL Injection Attacks by Example

There are two ways of passing parameters to SQL statements. One is to use Stored Procedures like you mentioned. The other is to use parameterized queries (which is actually what I prefer).

A parameterized query is actually quite easy in .NET:

using(SqlConnection conn = new SqlConnection(connString))
{
    SqlCommand command = 
        new SqlCommand("SELECT * FROM Users WHERE Username = @Username", conn);

    command.Parameters.Add(new SqlParameter("@Username", "Justin Niessner"));

    SqlDataAdapter adapter = new SqlDataAdapter(command);
    DataTable dt = new DataTable();

    adapter.Fill(dt);
}

In that example, the parameter was @Username and we used the Parameters collection of the SqlCommand object to pass in the value.

More Related Contents:

  1. How do I update a value in C# and SQL Server? [closed]
  2. Procedure or function xxxxx has too many arguments specified [duplicate]
  3. What are the pros and cons to keeping SQL in Stored Procs versus Code [closed]
  4. Call a stored procedure with parameter in c#
  5. Getting data from stored procedure with Entity Framework
  6. Passing List to SQL Stored Procedure
  7. Add WHERE clauses to SQL dynamically / programmatically
  8. How to pass a null variable to a SQL Stored Procedure from C#.net code
  9. Database Error: There is no row at position 0
  10. Search SQL by date ASP.NET
  11. SQL Server Char/VarChar DateTime Error [closed]
  12. Sql: Incorrect syntax near ‘(‘ [closed]
  13. How to get last inserted id?
  14. Using stored procedure output parameters in C#
  15. C# SQL Server – Passing a list to a stored procedure
  16. Insert entire DataTable into database at once instead of row by row?
  17. Why should I use int instead of a byte or short in C#
  18. What represents a double in sql server?
  19. SQL WHERE clause matching values with trailing spaces
  20. DropdownList DataSource
  21. SqlBulkCopy from a List
  22. Entity Framework – stored procedure return value
  23. What’s the fastest way to bulk insert a lot of data in SQL Server (C# client)
  24. SqlConnection.Close() inside using statement
  25. ASP.NET ODBC Query with parameters
  26. How to make LINQ execute a (SQL) LIKE range search
  27. How to pass string array in SQL parameter to IN clause in SQL
  28. Index (zero based) must be greater than or equal to zero
  29. Query validation using C#
  30. Generating sql code programmatically

Leave a Comment