Stack Overflow
Stack Overflow

Questions tagged [parameterized-query]

A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.

A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like

SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?

The ? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.

The advantages of a parameterized query are

  • No compiling and optiming overhead for the subsequent executions of the statement
  • SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters
301 questions
6
votes
2 answers

Parameterized DB2 Query From .NET

I am attempting to run a parameterized query against a DB2 database from .NET using the Client Access ODBC Driver using the following code: var db2Cmd = new OdbcCommand("INSERT INTO presnlats (LAT) VALUES (@LAT)",…
Karmic Coder
  • 17,569
  • 6
  • 32
  • 42
6
votes
0 answers

How to specify ServiceStack.OrmLite Parameter Length

Using parameterized queries seems to set the length of the parameter to the length of the value passed in. Doing something like: var person = Connection.Query("select * from People where Name = @name", …
Phill
  • 18,398
  • 7
  • 62
  • 102
6
votes
2 answers

PDO Error: " Invalid parameter number: parameter was not defined"

I am trying to use a simple MySQL insert query with the parameters in array form. It keeps telling me the number of parameters are wrong. I have tried the following, all producing the same error: $stmt3 = $link->prepare('INSERT INTO messages…
Morgan
  • 867
  • 3
  • 11
  • 34
5
votes
6 answers

Fixing SQL injection forms in a big asp.net C# web application

I have to fix a project that is vulnerable to SQL injection. All the forms in every page on the project do not use parametrized query but simply string query. For example I have the search page, and looking at the code behind I see that there is a…
Attila
  • 702
  • 1
  • 12
  • 34
5
votes
1 answer

Parameterized Oracle SQL query in Java?

I've been trying to figure out why the following code is not generating any data in my ResultSet: String sql = "SELECT STUDENT FROM SCHOOL WHERE SCHOOL = ? "; PreparedStatement prepStmt = conn.prepareStatement(sql); prepStmt.setString(1,…
echoblaze
  • 11,176
  • 13
  • 44
  • 49
5
votes
1 answer

C# Microsoft Access Parameterized Queries not doing its job

I have already done research into this, and though the below questions are similar, I have tried them all, but none seems to solve my issue. Proper way of getting a data from an Access Database using parameters inserting data into access…
Kaitlyn
  • 791
  • 1
  • 10
  • 28
5
votes
2 answers

SQL Server: Detect Non-Parameterized Queries

I have a client which has had programming performed by past developers. Their code has recently become suspect, and I'd like to know if they are using parameterized queries. I was hoping I could detect non-parameterized requests through SQL…
user1325179
  • 1,535
  • 2
  • 19
  • 29
5
votes
1 answer

Which prefix should I use for MySql named parameters in C# using Connector/Net?

I am using Connector/Net 6.8.3 for a C# project and have been using it (or prior versions) for quite some time. As I look through legacy code, I see several variations related to parameterized queries and have been attempting to determine what the…
JYelton
  • 35,664
  • 27
  • 132
  • 191
5
votes
2 answers

Examples of parameterized queries

Could anyone give me examples of how to use parameterized queries with MySQL/PHP please?
shin
  • 31,901
  • 69
  • 184
  • 271
5
votes
4 answers

Issue with Oracle bind variables not using index properly

In my scenario, the following query runs fast (0.5 seconds on a table with 70 million rows): select * from Purchases where (purchase_id = 1700656396) and, it even runs fast using bind variables: var purchase_id number := 1700656396 select * from…
Jay Sullivan
  • 17,332
  • 11
  • 62
  • 86
5
votes
3 answers

Passing NULL value into parameterized delphi SQL server query

I am trying to pass in a null value to a TSQLDataset parameter. The query has the form: Query_text:='MERGE INTO [Table] USING (VALUES (:A,:B)) AS Source (Source_A, Source_B) .... WHEN MATCHED THEN …
Alex
  • 543
  • 1
  • 9
  • 21
5
votes
3 answers

"Must declare the variable @myvariable" error with ADO parameterized query

i am trying to use parameterized queries with ADO. Executing the Command object throws the error: Must declare the variable '@filename' i declare the parameter @filename using CreateParameter/Append: sql := 'INSERT INTO Sqm(Filename, data)…
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
4
votes
1 answer

Parameter Delimiters

I have C# application we've been coding in ADO.NET. I've been using the IDbCommand, and IDbConnection interfaces to create cross-database code. It's all worked wonderfully so far (across Firebird, SQLite, SQL Server 2005, and 2008,…
Brian Deragon
  • 2,929
  • 24
  • 44
4
votes
1 answer

SPARQL parameterized queries

Good day! I apply rdflib for python. I have a question. How can I put variable into SPARQL's query ? Instead of 'OSPF' in course:OSPF! qres = g.query( """SELECT ?x ?z ?y WHERE { course:OSPF course:termName ?x. …
zhalnin
  • 43
  • 4
4
votes
2 answers

error with SqlCe Parameters

I have made MANY parameterised queries in my time on this lovely planet, and none have thrown an error like this... WTFudge?!?! ERROR: There was an error parsing the query. [ Token line number = 1, Token line offset = 20, Token in error = @table…
AlexMorley-Finch
  • 6,785
  • 15
  • 68
  • 103
1
2
3
20 21