发表新帖
发表新帖

What is passing parameters to SQL and why do I need it?

后端 未结
关注
5 863
小蘑菇
小蘑菇 2020-11-27 20:31

Beginner here:

In this answer to my question of how to insert data into SQL Server he mentioned passing parameters instead of string concatenation like I currently

相关标签:
5条回答
  • 梦谈多话
    2020-11-27 20:50

    The primary issue with simply concatenating strings is that it often leaves you vulnerable to SQL Injection attacks.

    Google SQL Injection or read here.

    0 讨论(0)
  • 别跟我提以往
    2020-11-27 20:52

    In addition to SQL injection and the like, parameterized queries always look the same to the SQL server. Most likely the query execution plan will be cached, so if you send the same query again it will run faster. This would be very noticeable if you are running the same query many times in a loop or you have many clients querying your server.

    0 讨论(0)
  • 梦毁少年i
    2020-11-27 21:01

    It'll protect you from little Bobby Tables.

    http://xkcd.com/327/

    0 讨论(0)
  • -上瘾入骨i
    2020-11-27 21:07

    Passing parameters to SQL saves you from having to build a dynamic SQL string.

    Building dynamic SQL statements is a HUGE security risk because people can inject their own SQL code into your application, possibly executing undesirable commands against your data.

    There are some good samples of possible SQL Injection attacks at:

    SQL Injection Attacks by Example

    There are two ways of passing parameters to SQL statements. One is to use Stored Procedures like you mentioned. The other is to use parameterized queries (which is actually what I prefer).

    A parameterized query is actually quite easy in .NET:

    using(SqlConnection conn = new SqlConnection(connString))
{
    SqlCommand command = 
        new SqlCommand("SELECT * FROM Users WHERE Username = @Username", conn);

    command.Parameters.Add(new SqlParameter("@Username", "Justin Niessner"));

    SqlDataAdapter adapter = new SqlDataAdapter(command);
    DataTable dt = new DataTable();

    adapter.Fill(dt);
}

    In that example, the parameter was @Username and we used the Parameters collection of the SqlCommand object to pass in the value.

    0 讨论(0)
  • 余生分开走
    2020-11-27 21:11

    Here is an example:

            SqlConnection myConn = new SqlConnection("my connection string");

        SqlCommand myCmd = new SqlCommand("myStoredProcName", myConn);

        myCmd.CommandType = CommandType.StoredProcedure;

        myCmd.Parameters.AddWithValue("@cGroupID", 0).Direction = ParameterDirection.InputOutput;
        myCmd.Parameters.AddWithValue("@gType", "C");
        myCmd.Parameters.AddWithValue("@requirement", "Y");
        myCmd.Parameters.AddWithValue("@usercode", "XX");

        myConn.Open();
        myCmd.ExecuteNonQuery();

        int covID = (int)myCmd.Parameters["@cGroupID"].Value;

    Using Parameters is a good way to prevent some errors, and help stop injection vectors. It also allows OUTPUT parameters, as in the example above where cGroupID comes back with a value that I can access.

    0 讨论(0)
 看不清?
提交回复
热议问题