sqlParameter

[Tony Johansson]

Hello!

I just wonder when I supposed to use a SqlParameter in a SqlCommand I use
string.Format instead because it's much more straight forward and easier
I know about SQL injection.
My first question is if people bother to use this SqlParameter when they
have primitive data types because it's mush simpler to use string.format ?

In some cases it's nesessary to use SqlParameter and that is when you have
binary data types(BLOB).

So as a summary I only use sqlParameter when I have BLOB as the datatype in
all other cases I use string.format

//Tony

 

[Arne Vajhøj]

I just wonder when I supposed to use a SqlParameter in a SqlCommand I use
string.Format instead because it's much more straight forward and easier
I know about SQL injection.
My first question is if people bother to use this SqlParameter when they
have primitive data types because it's mush simpler to use string.format ?

In some cases it's nesessary to use SqlParameter and that is when you have
binary data types(BLOB).

So as a summary I only use sqlParameter when I have BLOB as the datatype in
all other cases I use string.format

Always parameters for values.

It is the easiest and most verifiable way to protect against
SQL injection.

Use of String.Format would not make it through code review
in most companies.

Arne

PS: If you write a 50 line console app to load a CSV with
info about your CD collection into an Access database, then
I guess it is OK. But not for code that is intended to be used
in production in a company.

 

[Tony Johansson]

Always parameters for values.

It is the easiest and most verifiable way to protect against
SQL injection.

Use of String.Format would not make it through code review
in most companies.

Arne

PS: If you write a 50 line console app to load a CSV with
info about your CD collection into an Access database, then
I guess it is OK. But not for code that is intended to be used
in production in a company.

I agree with you but I just wonder if I have a BLOB that I want to store in
the database is then the only solution to use Sqlparameter. I mean I just
tried with string.format when I had a Blob but I run into run time error.
I mean if I would to store types of primitive types I can use string.format
even if this is non the best solution.

So how is it when Blob which is binary types is the only solution to use
SqlParameter ?

//Tony

 

[Arne Vajhøj]

I agree with you but I just wonder if I have a BLOB that I want to store in
the database is then the only solution to use Sqlparameter. I mean I just
tried with string.format when I had a Blob but I run into run time error.
I mean if I would to store types of primitive types I can use string.format
even if this is non the best solution.

So how is it when Blob which is binary types is the only solution to use
SqlParameter ?

As you said: a BLOB is binary.

SQL statements are text.

Unless the SQL dialect supports Hex or Base64 encoded binary literals
then it does not work.

Arne

 

[J.B. Moreno]

Tony Johansson -snip-

I agree with you but I just wonder if I have a BLOB that I want to store in
the database is then the only solution to use Sqlparameter. I mean I just
tried with string.format when I had a Blob but I run into run time error.
I mean if I would to store types of primitive types I can use string.format
even if this is non the best solution.

So how is it when Blob which is binary types is the only solution to use
SqlParameter ?

Nope. You could turn the binary into a hex string and then use
varbinary conversion in your SQL to turn it back into a binary on the
server.