Questions tagged [parameterized-query]

A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.

A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like

SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?

The ? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.

The advantages of a parameterized query are

No compiling and optiming overhead for the subsequent executions of the statement
SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters

301 questions

votes

1 answer

Query with multiple parameters not working in SQL Server

Here is the Query SELECT Distinct NSS.RevisionId,NSS.SheetName,NSS.SubmitId,NSS.FileName, NSS.UpdateTimeA,NSS.UpdateUserId,NSS.NG, NSS.Complete, CD.ControlName, NSS.ItemName, NSS.ItemValue, NSS.ExternalFile FROM ( SELECT rs.SheetName…

sql-server sql-server-2005 parameterized-query

asked Oct 31 '14 at 12:14

AddyProg

2,960
13
59
110

votes

1 answer

How to make these methods parameterized?

I have method in my business layer like this. public Boolean saveParty(Party ptObj) { string query1 = "EXEC insertToParty'" + ptObj.PTRegID + "','" + ptObj.PTName.Replace("'", "''") + "','" + ptObj.PTSymARR + "','" + ptObj.PTSymName…

c# sql-server data-access-layer parameterized-query business-layer

asked Oct 16 '14 at 17:41

ChathurawinD

votes

3 answers

Recognize the type of the parameters of a user defined sql to be used in a Delphi TQuery at runtime

I'm writing a delphi(7 ver) application and in some place I want to execute parameterized queries (for BDE and Paradox) which will be loaded at runtime into a TQuery by the user. These queries will be stored in text files (one text file for one…

delphi parameterized-query bde

asked Oct 01 '14 at 10:49

Hb-IT

votes

2 answers

Can a ADO.NET SQL command parameter contain a sub-query?

Is it possible to create a SQL select max(id) as a variable inside a query? This doesn't work: command.CommandText = "INSERT INTO ordreid (ordrenr,ordreid) SELECT @ordrenr, @ordreid"; command.Parameters.AddWithValue("@ordrenr",…

c# sql sql-server ado.net parameterized-query

asked Sep 28 '14 at 19:54

user3888775

votes

1 answer

Pulling parameters from a datagridview C#.NET

I have what is undoubtedly a simple question, but I can't seem to find that answer anywhere. I am writing a C# Windows form application that contains a datagridview that I'm using to run a SQL UPDATE statement out to the database with a dataadapter.…

c# .net sql datagridview parameterized-query

asked Apr 09 '10 at 14:47

Geo Ego

1,315
7
27
53

votes

2 answers

How do I re-write a SQL query as a parameterized query?

I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them. How would I write the following as a parameterized query? SqlConnection con = new SqlConnection( "Data Source=" +…

c# .net ado.net sql-injection parameterized-query

asked Sep 13 '14 at 07:34

user3888775

votes

3 answers

SQL parameterized query for "BETWEEN" and "IN" operator not working

SELECT top 10 * FRPM Events WHERE (StartDayID between @p0 AND BusinessEventCode in @p1), N'@p0 nvarchar(4000),@p1 nvarchar(4000)',@p0=N'20110701 and 20140724',@p1=N'HighVoltage,LowVoltage' StartDayID is an…

sql parameterized-query

asked Sep 05 '14 at 13:57

Ananth Ram

votes

1 answer

How to properly run and check parameterized database queries with PHP/MySQLi

After reading related questions about parameter-ized queries, I realize that they are the way to go to completely (well, unless you're interpolating table values or something) prevent SQL injection, even if they are somewhat (okay, very much)…

php mysqli error-handling parameterized-query

asked Aug 27 '14 at 03:40

Exabytes

votes

1 answer

Error : Parameter name not found, in Postgresql

I am working in Asp.net with postgresql with devart dotconnect connection driver. When i am executing a parmeterized query it is showing error, Parameter name not found My code is below Command = new…

c# postgresql devart parameterized-query

asked Jul 26 '14 at 07:00

Haider Ali Wajihi

2,756
7
51
82

votes

2 answers

How to pass multiple selected item text from DropDownListCheckBoxes to Parameterized Sql

I am able to retain the DropDownListCheckbox multi-selected items text inside a label with a button click. I need to search from the database based on the DropDownListCheckBox multi selected items and its related data from a SQL-Server database.…

c# sql sql-server checkboxlist parameterized-query

asked Jul 02 '14 at 16:28

Shrivatsan

votes

1 answer

Parameterized query - An expression of non-boolean type specified in a context where a condition is expected, near 'END'

I have the following code: Dim sqlQuery As String = "IF NOT EXISTS ( SELECT * FROM myTable WHERE columnId = @columnId AND sourceId = @sourceId AND value = @value ) " sqlQuery += "BEGIN " sqlQuery += "INSERT INTO myTable SELECT @columnId, @sourceId,…

sql sql-server vb.net sqlexception parameterized-query

asked May 12 '14 at 16:51

kevlar90

votes

1 answer

Difference between ? and @VarName parameters in VB.net

I'm working on a vb.net program for in house use. I've been looking around and trying to understand what the best way to use parameterized queries is. I've seen many places that mention @VarName that would be used as INSERT INTO people…

vb.net conventions parameterized-query progress-db

asked May 02 '14 at 13:20

PsychoData

1,198
16
32

votes

2 answers

Problems running vb.net program on superuser-type user

I have written a program in vb.net for in house use that connects to a Progress OpenEdge database. Now I'm having a really weird runtime problem. I have a .exe file that runs on my local C: drive, the C: drive of the servers, from a certain network…

vb.net parameterized-query windowsdomainaccount

asked May 02 '14 at 00:08

PsychoData

1,198
16
32

votes

1 answer

Cannot convert datatype nvarchar to numeric

I import data from from an Excel file into a SQL Server database with the following query. The Excel file has all values as string types (' before every cells). I get this error when I import it."Cannot convert datatype nvarchar to numeric" If I…

c# sql sql-server parameterized-query table-valued-parameters

asked Apr 08 '14 at 18:34

user2525244

votes

1 answer

Update query (Parameterized query,Table valued parameters)

I have a SQL TABLE Inventory Having many columns two of which are LocalSKU (pk) varchar(200) NOT NULL QOH int And an EXCEL DATA having only two columns LocalSKU and QOH I want to implement a query where I want to match both data according to…

c# sql sql-update parameterized-query table-valued-parameters

asked Apr 03 '14 at 18:40

user2525244

Prev 1 2 3

…

20 21 Next