until they will understand this simple thing they can't underastand why parameters are important...
So that;'s why you 'help' somebody who specifcaly asked for help on how to add a parameter to his command, by advising to concatenate the SQL string?
tarun n juneja
but i am sure you are exceptional case who wrote your 1st data access code with sql parameters
Off course not. But after somebody told me about SQL injections, I use parameter queries ever since.... It isn't more difficult as concatenating strings (in fact, I think it is even easier because you don't have to use delimiters and think about formats),
so why not learn people to start doing things the right way, even if they didn't ask for that (off course not, because they didn't know any better, let alone they would be aware of the risks).
From experience, I know that some developers are very unwilling to start doing things the best way, simply because they've done things the woring way for so long. Most likely, you're one of them. I think it is best to point people as soon as possible in
the right direction, especiially when security is involved. If you're really aware about the risks of SQL injections, I'm sure you won't answer questions the way you do right now...
hans_v
All-Star
35998 Points
6551 Posts
Re: Passing value to SQL query parameter from my textbox
Sep 09, 2011 12:47 PM|LINK
So that;'s why you 'help' somebody who specifcaly asked for help on how to add a parameter to his command, by advising to concatenate the SQL string?
Off course not. But after somebody told me about SQL injections, I use parameter queries ever since.... It isn't more difficult as concatenating strings (in fact, I think it is even easier because you don't have to use delimiters and think about formats), so why not learn people to start doing things the right way, even if they didn't ask for that (off course not, because they didn't know any better, let alone they would be aware of the risks).
From experience, I know that some developers are very unwilling to start doing things the best way, simply because they've done things the woring way for so long. Most likely, you're one of them. I think it is best to point people as soon as possible in the right direction, especiially when security is involved. If you're really aware about the risks of SQL injections, I'm sure you won't answer questions the way you do right now...