Stack Overflow
Stack Overflow

Questions tagged [parameterized-query]

A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.

A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like

SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?

The ? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.

The advantages of a parameterized query are

  • No compiling and optiming overhead for the subsequent executions of the statement
  • SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters
301 questions
0
votes
2 answers

When parameterized query executes it does not seem to have a value for the parameter

The following code as I understand it should create a parameterized statement and adds a value to that parameter. The parameter being "@exp" and the value being added to it is determined by user input. I store the user input in String exp; (Not my…
HopAlongPolly
  • 1,347
  • 1
  • 20
  • 48
0
votes
1 answer

Loading SQL views (dynamically) into a WinForms application

I'm writing a WinForms application in C# with the purpose of selecting from views with aggregated data on an SQL server. The point is to generate charts from the views using the System.Windows.Forms.DataVisualization.Charting namespace. As of now, I…
sara
  • 3,521
  • 14
  • 34
0
votes
1 answer

Using a Parameterized Query on a SQL Table in Excel using VBA

I have some code that is supposed to run a parameterized query of the SQL table that I am query. The way that it does this is there is a designated cell (Z1) that is supposed to take in an input value from one of my columns and then automatically…
Mitchell Walker
  • 211
  • 3
  • 8
  • 18
0
votes
1 answer

ASP.NET How to remove double quotation from parameterized SQL query?

I seems not working because double quotations are also inserted when i use parameterized SQL query. How can i remove the double quotations? cmd.Parameters.AddWithValue("@SORT", (rdbAscending.Checked) ? "ASC" : "DESC");
Seehyung Lee
  • 590
  • 1
  • 15
  • 32
0
votes
2 answers

Datetime issues on conversion. Parameterized query is not accepting the datetime value

I have this function ExecuteSqlParameterizedQuery and here under is my query: Queryobj.ExecuteSqlParameterizedQuery(String.Format("INSERT INTO tbladd(ID,MyDateTime,Birthday)values({0},@dta, @dtb)", m_Id, MyDateTime.ToString(),…
Django Anonymous
  • 2,987
  • 16
  • 58
  • 106
0
votes
2 answers

VB.Net Update doesn't update my database

This is the code that I am trying to run. It will run without errors, but it does not update my database. It will work when it is not Parameterized, but when I add parameters in it starts acting up. Here is the problematic code. Public Sub…
JDev
  • 73
  • 1
  • 8
0
votes
2 answers

Can parameterized queries have output parameters?

In SQL Server is there a way to have an output parameter return the total number of records (for paging) in a parameterized query?
adam0101
  • 29,096
  • 21
  • 96
  • 174
0
votes
4 answers

prevent sql-injection in asp.net

i have following authentication method: protected void Button1_Click(object sender, EventArgs e) { string s; s = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString; …
LeonidasFett
  • 3,052
  • 4
  • 46
  • 76
0
votes
1 answer

ms-access + vb6: parameterized queries without stored queries

I was wondering if in ms-access through vb6 (ADODB) i can have the security benefits of parameterized queries Set Prm = CmdEnn.CreateParameter("pText1", adBSTR, adParamInput) Prm.Value = pText1 Cmd.Parameters.Append Prm without using…
MirrorMirror
  • 186
  • 8
  • 36
  • 70
0
votes
2 answers

How to stop Npqsql casting parameter values

I am using Npgsql to issue parameterized PostGIS queries on a Postgres database. The problem is that Npgsql casts all parameterized variables using a longhand notation, and PostGIS doesn't understand cast variables in some cases. For example,…
Aren Cambre
  • 6,540
  • 9
  • 30
  • 36
0
votes
2 answers

SqlParameter Object C#

Possible Duplicate: XKCD SQL injection — please explain I'm very new in C# and I want to know. When building an SQL string in C#, why do we need to use an SqlParameter object to represent user's input instead of directly passing in the string?
user1580957
0
votes
1 answer

PHP sqlsrv parameterized stored procedure T-SQL syntax

In the documentation for calling a SQL Server stored procedure with parameters from PHP using the sqlsrv extension, it uses a bizarre syntax: {call SubtractVacationHours( ?, ?)} What I would expect would be: EXEC SubtractVacationHours ?, ?; In the…
icc97
  • 11,395
  • 8
  • 76
  • 90
0
votes
2 answers

How to parameterize widestrings using TADOCommand parameterized query?

i am trying to use a parameterized query with Delphi TADOCommand: var s: WideString; cmd: TADOCommand; recordsAffected: OleVariant; begin cmd := TADOCommand.Create(nil); cmd.Connection := Connection; cmd.CommandText := 'INSERT…
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
0
votes
1 answer

Correct way of placeholders in paramaterized query from C#

Everything works, but this is just to know the correct practice/right approach/what makes sense Say I have the code: string query = "SELECT * FROM table WHERE parent_id=@parentId and id = @id"; OleDbCommand c = new OleDbCommand(query, _con); And…
nawfal
  • 70,104
  • 56
  • 326
  • 368
0
votes
1 answer

parameterized top clause query in asp.net C#

I want to use the top clause query in C# objConnection = new SqlConnection(ConfigurationManager.AppSettings["connectionstring"].ToString()); objConnection.Open(); objCommand = new SqlCommand("SELECT TOP (@perpage) * FROM…
asifa
  • 771
  • 1
  • 28
  • 63
1 2 3
20 21