Results 1 to 3 of 3

Thread: Security for passing parameters into commands

Thread Tools
- Show Printable Version
Display
- Switch to Linear Mode
- Switch to Hybrid Mode
- Threaded Mode

Threaded View

Previous Post

Next Post

Jan 20th, 2012, 08:59 AM #1
Skilleddreamer

View Profile

View Forum Posts
Thread Starter
Junior Member

Join Date

Jan 2012

Posts

25
Security for passing parameters into commands
I've read that when passing parameters to the commandtext method for the IDbcommand object I shouldn't build the command string as

Code:

command.CommandText = _ "SELECT * FROM CUSTOMERS WHERE CITY = '" & _ inputCity + "'";

but instead use the SqlParameter object as this is more secure

Code:

command.CommandText = _ "SELECT * FROM CUSTOMERS WHERE CITY =@City"

my question is, why is this more secure because surely I'm assigning a string value to my parameter anyway. Are the two methods majorly different?
Reply With Quote

Quick Navigation Database Development Top

« Previous Thread | Next Thread »

Tags for this Thread

sql

Posting Permissions

You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
[VIDEO] code is On
HTML code is Off

Click Here to Expand Forum to Full Width

Terms and Conditions | About Us | Privacy Notice | Contact Us | Advertise | Sitemap| California - Do Not Sell My Info

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

All times are GMT -5. The time now is 12:15 PM.