Questions tagged [parameterized-query]

A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.

A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like

SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?

The ? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.

The advantages of a parameterized query are

No compiling and optiming overhead for the subsequent executions of the statement
SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters

301 questions

votes

0 answers

Parameterized update query is not working in c#

I am trying to update details but the query is not working. client id is auto-generated. here is my code try { con.Open(); SqlCommand updatecmd = new SqlCommand(); updatecmd.CommandType =…

c# sql-server parameterized-query

asked Apr 13 '17 at 10:59

Nirmala

votes

1 answer

pymysql: MySQL Parameterized LIKE Query

Why am I getting TypeError: not all arguments converted during string formatting when trying to execute this query? I need to be able to append %{}% to the IP I am passing in so that i can run a LIKE mysql query. If this isn't the correct way to…

python mysql pymysql parameterized-query

asked Feb 24 '17 at 20:22

dobbs

1,089
6
22
45

votes

0 answers

Oracle ORA-01489: result of string concatenation is too long

I have a bit of a long query which I'll dump all of it because I have no clue as to which particular part is causing the problem. SELECT DISTINCT vip.srname, vip.frname, vip.indv_id AS empid, prf.usrpf_formal_lastname, prf.usrpf_formal_givnames, …

string oracle concatenation parameterized-query

asked Feb 02 '17 at 16:05

dokgu

4,957
3
39
77

votes

0 answers

SQL Server 2005 & Up - Concatenated Value based on Value in Joined Table

Prelude: The design of this database is truly horrible - this isn't the first "crooked" question I've asked, and it won't be the last. The question is what it is, and I'm only asking because A) I only have a couple of years of experience with SQL…

sql-server join dynamic-sql sql-view parameterized-query

asked Jan 26 '17 at 11:34

3BK

1,338
1
8
11

votes

0 answers

How to create a parameterized insert using select query that includes some dynamic values for postgresql?

I am using the nodejs pg package. I have created some simple parameterized queries using the following format: var client = new Client({user: 'brianc', database: 'test'}); client.on('drain', client.end.bind(client)); //disconnect client when all…

node.js postgresql pg parameterized-query

asked Jan 15 '17 at 04:22

user2109254

1,709
2
30
49

votes

0 answers

c# passing dblink to parameterized oracle query and connection string

to avoid sql injection I am using parameterized oracle query, but i want to know how I can pass DBlink to the table and to the connection string ? as shown below SELECT a.column1, a.column2, b.column3,a.column4, …

c# oracle c#-4.0 parameterized-query

asked Dec 23 '16 at 13:55

sam

2,493
6
38
73

votes

0 answers

Parameters value length creating new Execution Plan for the same Parameterized Query

This is what I found when digging into Sql Server for three executions of a parameterized query batch; It seems that because of the @Person_Name length variation, Sql query engine is creating new execution plans for the same query. I am generating…

sql-server vb.net parameterized-query

asked Oct 05 '16 at 11:15

Shaunak Srivastava

votes

0 answers

Informix parameterized odbc query doesn't work

Parameterized query is not working as expected. When executing Informix ODBC command in c#: OdbcCommand oc = Connection.CreateCommand(); oc.CommandText = "SELECT COUNT(*) AS CNT, MAX(someattr) AS attr1 FROM ?"; oc.Parameters.Add(new OdbcParameter()…

c# odbc informix parameterized-query

asked Oct 04 '16 at 04:53

Developer Marius Žilėnas

5,813
1
41
70

votes

2 answers

Suggestion needed for optimizing a MySQL query

I'm using parameterized queries with PHP I have the following two queries: SELECT username,question_text FROM questions,users WHERE questions.question_id = 4 AND questions.user_id = users.user_id and SELECT username, post_text FROM posts,users…

php mysql parameterized-query

asked Oct 20 '10 at 10:06

Tek

2,888
5
45
73

votes

1 answer

Why can't I use the field name as a parameter in an Access parameter query?

Working through some insert/update queries on an application today and came across a result I hadn't expected. Queries My insert queries look similar to this: PARAMETERS nm TEXT(10), st TEXT(2); INSERT INTO park(pname,…

sql ms-access syntax jet parameterized-query

asked Aug 25 '16 at 19:26

NWdev

votes

2 answers

Parameterized SQL query in R with IN clause

I am trying to fetch data through RODBC package from Vertica DB. I currently have a SQL query like the one below. library(rodbc) channel = odbcconnect("VerticaDB") query = paste ( SELECT * FROM item_history WHERE …

sql r rodbc parameterized-query

asked Aug 24 '16 at 12:32

Srivathsan V

votes

1 answer

Parameterize Insert...On Duplicate Key UPDATE fails using SET semantics

I have a database that stores information on clients. I have a unique field for phone numbers called "Phone". I'm trying to use parameterized queries to INSERT into the table, and on a duplicate key, update the clients info. I have quadruple checked…

php mysql pdo insert-update parameterized-query

asked Jul 26 '16 at 18:25

Native Coder

1,792
3
16
34

votes

0 answers

send combobox value to parameterized query Ms Access

I do have a problem to send a value of combobox to a parameterized query : what i did so far is : but when i execute my app the pop up below is showin, and asking to pass a parameter Thanks in advance.

combobox ms-access-2010 parameterized-query

asked Jul 26 '16 at 14:39

Issamovitch

votes

1 answer

c# mysql insert statement. Parameterized query example?

I'm trying to get this insert statement to work. string sql = "INSERT INTO usuario (apellido,nombre,email,password,id_localidad) " + "VALUES (?apellido,?nombre,?email,?password,?idLocalidad); "; MySqlCommand cmd…

c# mysql asp.net-mvc parameterized-query

asked Jun 24 '16 at 03:32

Juan M

4,063
4
19
28

votes

0 answers

Parameterized dynamic sql query with multiple parameters

I had a Program in c# which would run queries using a dynamically created string which would be used as a query. Now due to possibility of SQL injection, I want to use parameterized queries to generate the same. Was looking at Parameterized…

c# mysql parameterized-query

asked May 23 '16 at 13:03

The 0bserver

Prev 1 2 3

…

20 21 Next