Re: Passing an int to a query
Posted by: David
Date: March 11, 2005 08:33AM

Two reasons that I know of off-hand to use parameters.

1) They help prevent SQL injection attacks. By using parameters, you help prevent the user from being able to add inline script that can affect your database. It's not a cure-all, but it is another layer of protection.

2) Parameters take care of type-casting for you. Anybody who has tried getting DateTime fields to work from one database to another can attest to this. Each database that I've dealt with as of late has a different method for storing DateTime data, and without using parameters, you have to write a bunch of extra code to cast the data to make your program work. It's a pain.

I can write a program that deals with Microsoft SQL Server, and if I need to port it to MySQL (or vise versa) all I have to do is a couple of quick find/replace procedures for the class library name in my code, and voila, it works.

David

Options: ReplyQuote


Subject
Written By
Posted
March 08, 2005 11:31AM
March 10, 2005 09:39AM
March 10, 2005 01:51PM
Re: Passing an int to a query
March 11, 2005 08:33AM
March 11, 2005 09:39AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.