Stack Overflow
Stack Overflow

Questions tagged [parameterized-query]

A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.

A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like

SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?

The ? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.

The advantages of a parameterized query are

  • No compiling and optiming overhead for the subsequent executions of the statement
  • SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters
301 questions
0
votes
2 answers

OracleCommand Update works with interpolated SQL, but not with Parameterized

I'm doing some maintenance on a legacy app uses OracleConnection and OracleCommand to manage our data. I'm Having an issue where a specific update isn't working when I use parameters, but if I convert the same statement to an interpolated string,…
Mike Whitis
  • 126
  • 2
  • 8
0
votes
1 answer

Pass list of strings as a Parameter in Parameterized Query in DocumentDB

Is there a way i can pass a list of strings in the SqlParameter, lets say i have 10 authors and i want to find books published by them. I know i can make 10 parameters in (new SqlParameter) separately. But is there a way to just pass a list and get…
himanshu kaushal
  • 57
  • 2
  • 13
0
votes
1 answer

Prepared Statements and Stored Procs Used Together

I'm in the planning stages of a Microsoft ASP.NET / SQL Server 2008 based web application and In thinking about database design, I began to think about injection attacks and what strategies I should employ to mitigate the database as a vector for…
Crippledsmurf
  • 3,982
  • 1
  • 31
  • 50
0
votes
2 answers

Send parameters for IN operator in sql using parameterized queries in c#

I am using asp.net , C# to make my app. In there for database oprations I am suing parametrised queries. Here is a code mySqlCommand = new MySqlCommand(); mySqlCommand.Parameters.AddWithValue("@ids", ids); switch (privilegeType.ToString()) { …
Prageeth Liyanage
  • 1,612
  • 2
  • 19
  • 41
0
votes
2 answers

Parameterized SQL Statements

I'm trying to use a simple insert query to fill a SQL table. Currently, my script creates the query by concatenating strings but I would like to parameterize the query in order to avoid getting the following error: Exception calling…
Brennan Morell
  • 85
  • 1
  • 10
0
votes
1 answer

Insert query failing when using a parameter in the associated select statement in SQL Server CE

INSERT INTO voucher (voucher_no, account, party_name, rece_amt, particulars, voucher_date, voucher_type, cuid, cdt) SELECT voucher_rec_no, @account, @party_name, @rece_amt, @particulars, @voucher_date, @voucher_type, @cuid, @cdt FROM…
karthi
  • 1
  • 2
0
votes
1 answer

Escaping apostrophe/single quote in parameterized sql in asp

I'm new to parametrized SQL. I've got a query in an .asp page that's getting one or more client names from a form. These are held in an array called clientArr and then passed through to SQL server as parameters. I'm escaping the ' as '' but this…
TimothyF
  • 11
  • 5
0
votes
0 answers

SQL Developer parameterized query and parameterized output

I have this query in SQL Developer running on a Oracle 11g XE database: variable PDL VARCHAR2(256 BYTE); set feedback off set verify off begin :PDL := '&1'; end; / set feedback on spool c:\lexmark\spool.txt; select PRINTERNAME, SERVERNAME,…
Francesco Cicciuzz
  • 63
  • 2
  • 9
0
votes
1 answer

Error when getting MySQL data in .NET

I'm creating a .NET web application that retrieves data from a database. I keep getting the following error when running the below code though. Fatal error encountered during command execution. The InnerException is {"Parameter '?Username' must…
Dr R Dizzle
  • 274
  • 2
  • 4
  • 20
0
votes
2 answers

SQL Injection without prepared statements or parameterised queries

I know there are many questions out there already regarding this subject, however none I have found specifically answer my question. I have created a simple PHP function that validates all user supplied input. Given the nature of the application I…
user3054325
  • 29
  • 3
0
votes
2 answers

Syntax Error in InsertStatement

Im inserting a data in MySql database and when I click the save button, it says, You have an error in sql syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "grade1") VALUES('section1')' at…
Fvcundo
  • 95
  • 2
  • 3
  • 11
0
votes
1 answer

SQL Server parameterized query with a WHERE clause with Nulls

VB.NET 2012, ADO.NET, SQL Server 2014 I setup a parameterized query that works well. I essentially read records from a DataTable that comes from a different source than my SQL Server. It's small enough that I elected to read record by record and…
sinDizzy
  • 1,300
  • 7
  • 28
  • 60
0
votes
1 answer

PHP MYSQL Parameterized statements > second while loop not working

Hi my code is not working properly. The second while loop is not working. I tried many times but I can't find the mistake. Is it anything wrong with the code? Thank you! if ($stmt = $post_con->prepare('SELECT id, data FROM tb WHERE CONCAT(" ", res,…
Victor
  • 33
  • 1
  • 7
0
votes
1 answer

Update multiple mysql columns using parametarized update command

In my application I want to update multiple MySQL columns using the UPDATE command. I tried it with the following code but I know that it's really insecure. Because it led to SQL Injection attacks. But I have no idea how to write a query with…
rafalefighter
  • 714
  • 2
  • 11
  • 39
0
votes
1 answer

Select column of other row in parameterized statement

I am a beginner in SQL, and I was having some trouble with special characters like parentheses and asterisks in user generated data. So far, I have mostly been using a lot of ad hoc methods of getting rid of these characters and they work well…
Ravi Mehta
  • 485
  • 1
  • 6
  • 15
1 2 3
20 21