Stack Overflow
Stack Overflow

Questions tagged [parameterized-query]

A pre-compiled and optimized SQL statement that can be executed multiple times by changing certain constant values during each execution. Often used to prevent SQL injection.

A parameterized query or prepared statement is a pre-compiled and optimized SQL statement that is in the form of a template where only certain constant values (parameters) can be changed. It can be executed multiple times by changing the parameters during each execution. A parameterized query looks like

SELECT itemName FROM Product WHERE manufactureDate BETWEEN ? AND ?

The ? are the parameters that subsituted with values provided during each execution. In the above examples they are the from date and to date.

The advantages of a parameterized query are

  • No compiling and optiming overhead for the subsequent executions of the statement
  • SQL Injection is not possible as they are sent to and parsed by the database server separately from any parameters
301 questions
3
votes
2 answers

Best way to debug parameterized query in c#

Escape ( ' ) symbol in Textbox for asp.net c# Based on the question in post above, most people suggested that "parameterized query" is the best solution to avoid the sql injection. Below is my code by using the sql injection public DataSet…
120196
  • 283
  • 6
  • 14
3
votes
3 answers

c# - Parametrized Query

I am working on a .net website which uses a DB2 database which uses Insert/Update and Select Queries. I researched about SQL Injection and I believe I've parametrized my query to avoid SQL Injection. Could you check if I've done it correctly and is…
user6097989
  • 47
  • 8
3
votes
1 answer

Why can't I delete from db using node-postgres?

Is there something special i need to do with a parameterized query? the following seems to succeed (i'm using a promise-ified client.query see end), console.log('cancel for', data); var cancelInviteQuery = 'delete from friendship where user_1=$1…
Michael
  • 2,973
  • 1
  • 27
  • 67
3
votes
2 answers

sp_ExecuteSql: The parameterized query expects the parameter @XX, which was not supplied

I'm trying to build a dynamic stored procedure to allow me to pass my string where clause as part of the parameter. However, following this article from MSDN I still couldn't get it running and having the error as described by the title. Any help is…
user3840039
  • 47
  • 1
  • 11
3
votes
1 answer

Parameterized queries in sqlite3 using question marks

I am using sqlite3 module with Python and have this code so far. In the database I have stored daily weather conditions, and now I need my code to replace some rows with updated data. The code is supposed to be looking for the row with datetime…
andgeo
  • 1,155
  • 4
  • 10
  • 17
3
votes
1 answer

How to insert values from another table in PostgreSQL?

I have a table which references other tables: CREATE TABLE scratch ( id SERIAL PRIMARY KEY, name TEXT NOT NULL, rep_id INT NOT NULL REFERENCES reps, term_id INT REFERENCES terms ); CREATE TABLE reps ( id SERIAL PRIMARY KEY, rep TEXT…
mark
  • 59,016
  • 79
  • 296
  • 580
3
votes
2 answers

MySQL Parameterized Queries - Cache Duration

Possible Duplicate: Are prepared statements cached server-side across multiple page loads with PHP? I'm working on a new project and using parameterized queries for the first time (PHP with a MySQL DB). I read that they parameterized queries are…
Felix
  • 610
  • 2
  • 9
  • 21
3
votes
1 answer

Weird PDO behavior when reusing variable for bindParam

I am perplexed by this unexpected behavior from pdo: Consider this simple query i have written: $username = "vidhu"; $numResults = 10; $db_vc = new PDO(DB_ADDRESS, DB_USER, DB_PASS); $stmt = $db_vc->prepare("SELECT username, email…
Krimson
  • 7,386
  • 11
  • 60
  • 97
3
votes
2 answers

php parameterized SQL query special operator

I just happened to see the following way to compose a parameterized SQL query: function select_user($uid) { // what is '<<<'? // I can't google any document about it // (or I don't know how to search symbol) $sqlStr = <<<…
Bossliaw
  • 698
  • 1
  • 10
  • 23
3
votes
2 answers

SQL - OleDbCommand not changing Sql Parameter

Below is the code for my Select * Function - It WORKS well and does everything great until i change the SQL string from Select * From Company to query = "Select * From @1"; and then do the following query = "Select * From @1"; …
Markus
  • 133
  • 2
  • 13
2
votes
2 answers

performance of parameterised SQL

I have a query like SELECT * FROM myTable WHERE key LIKE 'XYZ' The value 'XYZ' is entered by users (and may include % and _) If I construct the query using string concatenation it runs in 10 seconds. But this is unsafe, and I should use a…
JonT
  • 502
  • 4
  • 13
2
votes
3 answers

How do I pass guid in parameterised query?

My current best code is: string delNonQuery = "DELETE FROM " + Settings.DataSource + " WHERE @keycolumn=@keyuid"; SqlCommand cmd = new SqlCommand(delNonQuery,readerConn); SqlParameter kc = new SqlParameter("keycolumn",…
One Monkey
  • 713
  • 3
  • 9
  • 24
2
votes
1 answer

Passin Bit field parameters to stored procedure using Entity Framework 4.1

All, I've been stuck on the following issue all day. I'm trying to make a parametrized stored procedure call that includes three bit field parameters. The exception I keep encountering is "Error converting data type nvarchar to bit." Here is my…
derek kenney
  • 141
  • 1
  • 13
2
votes
3 answers

Do you need parameterized SQL searches if you check the inputs?

I'm writing an R Shiny/SQLite app. In the app, I have a function that returns a column from one of the tables in my SQLite database, with the function taking the table name as an input. Before sending the query to SQLite, the function checks that…
Hattie35
  • 99
  • 8
2
votes
1 answer

Passing parameters not being recognized and throws SQL error when executing raw query (on SQL-Server database and Pymssql) with SqlAlchemy

I'm trying to execute simple raw SQL query, on SQL-Server db with SqlAlchemy (and Pymssql as provider). Here is my first try (using execute method of connection and passing parameters in **kwargs way): provider = DataProvider().engine q = "select…
Code_Worm
  • 4,069
  • 2
  • 30
  • 35
1 2 3
20 21