Results 1 to 5 of 5

Thread: SQL Server Parameters

  1. Sep 5th, 2006, 04:16 AM #1
    jamesclarke112
    jamesclarke112 is offline

    Thread Starter
    Lively Member
    Join Date
    Jul 2006
    Posts
    84

    SQL Server Parameters

    I have no problem with the coding of sql parameters, but could someone give me an explanation or a good link of why I should use them.

    Consider if I had a variable called
    VB Code:
    1. dim strName as String =  "John"
    I could then do either
    VB Code:
    1. sqlCmd.CommandText = "SELECT * FROM contacts WHERE name = '" & strName & "'"
    or
    VB Code:
    1. sqlCmd.CommandText = "SELECT * FROM contacts WHERE name = @name"

    2. sqlCmd.Parameters.Add(New SqlCeParameter("@name", strName))
    Thankyou
    Reply With Quote Reply With Quote
  2. Sep 5th, 2006, 04:24 AM #2
    jmcilhinney
    jmcilhinney is offline
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    111,221

    Re: SQL Server Parameters

    Increase readability and reduce the chance of errors. Try writing an SQL statement where you update 20 columns with string concatenation.

    Increased security. A clever user might enter a value that is legitimate SQL code that wipes out your entire database. In the example above, see what happens if strName contains the following:

    "SomeName'; DELETE FROM Table1; SELECT * FROM contacts WHERE name = 'SomeName"

    You'd end with:

    "SELECT * FROM contacts WHERE name = 'SomeName'; DELETE FROM Table1; SELECT * FROM contacts WHERE name = 'SomeName'"

    and you'd delete every record from Table1 and you'd have no idea why. If you use a parameter then the value doesn't become part of the actual statement so there's no risk of this type of SQL injection attack.
    Why is my data not saved to my database? | MSDN Data Walkthroughs
    VBForums Database Development FAQ
    My CodeBank Submissions: VB | C#
    My Blog: Data Among Multiple Forms (3 parts)
    Beginner Tutorials: VB | C# | SQL
    Reply With Quote Reply With Quote
  3. Sep 5th, 2006, 08:30 AM #3
    jamesclarke112
    jamesclarke112 is offline

    Thread Starter
    Lively Member
    Join Date
    Jul 2006
    Posts
    84

    Re: SQL Server Parameters

    Thanks for the info. Now I have a coding question

    I have a 2 queries each with around 10 paramaters. The second query shares about 8 ofthese parameters with the other 2 changing. Currently after the first query I am doing
    VB Code:
    1. sqlCmd.Parameters.Clear()
    and then adding them all back in (with the 2 different ones) again. Is there a way of clearing just the 2 parameters and kepping the others.

    Thanks
    Reply With Quote Reply With Quote
  4. Sep 5th, 2006, 08:51 AM #4
    techgnome
    techgnome is offline
    PowerPoster techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,687

    Re: SQL Server Parameters

    Parameters.Remove .... should do the trick.... although I've always re-created the command object and parameters everytime, so I don't know for sure that it'll work.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *
    Reply With Quote Reply With Quote
  6. Sep 5th, 2006, 05:55 PM #5
    jmcilhinney
    jmcilhinney is offline
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    111,221

    Re: SQL Server Parameters

    The Parameters property is just a collection, so it essentially works like any other collection. Add, Remove and Clear are standard functionality for a collection because they are members if the IList interface, that pretty much every collection implements.
    Why is my data not saved to my database? | MSDN Data Walkthroughs
    VBForums Database Development FAQ
    My CodeBank Submissions: VB | C#
    My Blog: Data Among Multiple Forms (3 parts)
    Beginner Tutorials: VB | C# | SQL
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width