Stack Overflow
Stack Overflow

Questions tagged [parameterized-query]

A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.

A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like

SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?

The ? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.

The advantages of a parameterized query are

  • No compiling and optiming overhead for the subsequent executions of the statement
  • SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters
301 questions
0
votes
2 answers

how to pass objects (byte array) in query if query is not parameterized?

I have this query to be run: string query = @"SELECT * FROM hint WHERE addedSessionId IN (x, y, z, ............)"; if (_connSource.State != ConnectionState.Open) _connSource.Open(); MySqlCommand cmd =…
nawfal
  • 70,104
  • 56
  • 326
  • 368
0
votes
1 answer

parameterized query not working in VB

statement = "SELECT OrderID, (SELECT VendName FROM Vendors WHERE Vendors.VendorID = Orders.VendorID) " & ",OrderDt, RcvdDt, OrderTotal " & "FROM Orders " & "WHERE VendName=? "…
Tomcat
  • 606
  • 6
  • 18
-1
votes
1 answer

Why am I getting an exception telling me that I need to declare a scalar variable here (referencing a parameter in a query)?

I've got a parameterized query which I build up based on selection criteria the user chooses on a web page. For example, here is an example query string (completeQuery) that is built: SELECT M.MovieTitle, M.IMDBRating, M.MPAARating, M.YearReleased,…
B. Clay Shannon-B. Crow Raven
  • 8,547
  • 144
  • 472
  • 862
-1
votes
1 answer

Syntax Error when executing OLEDB Select statement

When I run this query I get the following error: Syntax error(missing operator) in query expression '[Customer] = 'O'SMILE' and [Product] = 'Casserole(20kg) Code: // When print button is executed database operations // Load data from…
Curtis Moses
  • 17
  • 1
-1
votes
2 answers

Hibernate Query Parameters binding incorrectly

I have been trying to write a hibernate query and have been able to generate the hibernate query through the server, but the parameters in the parameterized query are not getting binded correctly i.e. if 23 is to be binded to parameter 1, but it's…
Ayush Kumar
  • 45
  • 1
  • 10
-1
votes
1 answer

Oracle Stored Procedure Failed With Bound Parameters

I have a stored procedure within a package in Oracle that takes in several NUMBER types as arguments, and works without issue when integers are explicitly passed. However, when utilizing bound parameters (in SQL Developer), I get the error Error…
kchason
  • 2,836
  • 19
  • 25
-1
votes
1 answer

parameterized queries for usercheck

I am new to parameterises queries.please help this in usercheck .I am giving the programe.I want to login to the page using my database by using parameterised queries.please help me.Thanks in advance
Venkata Krishna
  • 3
  • 1
-1
votes
1 answer

Parameter with pattern matching syntax in a PostgreSQL query

Iam writing a golang program in which i query postgres database. I want to to use $1 to supply values and should have a pattern matching Db.Query("SELECT * FROM table where name like %$1%", user) it says: syntax error at or near "%"
Hardy
  • 285
  • 1
  • 5
  • 16
-1
votes
1 answer

Using stored procedures with parameterized queries. What is the meaning of it?

Why we use parameterized queries? Because we tell it what type of parameter should it accept (integer, string, ....). prepare("SELECT * FROM table WHERE id= ?") bind_param("i", $id) //only accepts integer On the other hand we already telling a…
Webber Depor
  • 198
  • 4
  • 16
-1
votes
3 answers

Rework using parameterized queries C#

There is a lot of tutorials regarding parameterized queries but most of them involve using SqlCommand, the only thing my code accepts is SqlDataAdapter for my SQL command, anytime I try to instantiate it as a SqlCommand I get errors. TL;DR I either…
Jaekx
  • 46
  • 8
-1
votes
2 answers

Displaying error mesaage if nothing found error

In simple data to fetch,working correctly but if something not found then not throwing message.It means if i search for something and found it will fetch, but if not nothing returned on screen, while i want display 'nothing found' message .Please…
125fura
  • 383
  • 2
  • 13
-1
votes
1 answer

SQL Server : parameters for column names instead of values

This might seem like a silly question, but I'm surprised that I didn't find a clear answer to this already: Is it possible to use SQL Server parameters for writing a query with dynamic column names (and table names), or does the input just need to…
JNYRanger
  • 6,829
  • 12
  • 53
  • 81
-1
votes
1 answer

Opening angle bracket "<" in user input causes a 404 error

The .net app I am working on encounters an error when a user enters opening angle brackets "<" as input. Specifically this occurs when they want some sort of html input such as Google I've tried the exact same input…
HopAlongPolly
  • 1,347
  • 1
  • 20
  • 48
-2
votes
1 answer

SQL injection in Windows Services?

I have many windows services which runs on server side only. It performs few CRUD operations on database(MySQL). There is a client application which allow user to upload files through it to the server. When the file gets uploaded to server, Window…
Arpit Gupta
  • 1,209
  • 1
  • 22
  • 39
-2
votes
2 answers

How does SqlCommand with parameters work?

public string InsertStudent(Student student) { string message = ""; SqlConnection connection = new SqlConnection(connectionString); string query = "insert into Students values(@regNo, @name, @email, @departmentId)"; SqlCommand…
Md. Nahidul Alam Chowdhury
  • 133
  • 1
  • 3
  • 13
1 2 3
20
21