what's the best approach to follow for sql execute

Discussion in 'Microsoft ADO .NET' started by Ganesh, Jul 29, 2007.

  1. Ganesh

    Ganesh Guest

    Hi There,

    What's the better way to follow when we use sql
    string sql = "Inset into table(f1,f2) values (@f1, @f2)";

    then add and passing parameters or in the first place itselef assign the
    values to the string
    string sql = "Inset into table(f1,f2) values (" + tbName.text + ", " +
    tbCity.Text +");";

    Thanks

    Ganesh
     
    Ganesh, Jul 29, 2007
    #1
    1. Advertisements

  2. * Ganesh wrote, On 29-7-2007 13:31:
    > Hi There,
    >
    > What's the better way to follow when we use sql
    > string sql = "Inset into table(f1,f2) values (@f1, @f2)";
    >
    > then add and passing parameters or in the first place itselef assign the
    > values to the string
    > string sql = "Inset into table(f1,f2) values (" + tbName.text + ", " +
    > tbCity.Text +");";



    add and passing parameters is the only way to go. You'll be vulnerable
    to all kinds of security issues otherwise. (read up on SQL Injection).

    Jesse
     
    Jesse Houwing, Jul 29, 2007
    #2
    1. Advertisements

  3. The best approach is to use parameters--unless you're adding a lot of rows.
    In this case SqlBulkCopy is far better.

    --
    ____________________________________
    William (Bill) Vaughn
    Author, Mentor, Consultant, Dad, Grandpa
    Microsoft MVP
    INETA Speaker
    www.betav.com
    www.betav.com/blog/billva
    Please reply only to the newsgroup so that others can benefit.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    __________________________________
    Visit www.hitchhikerguides.net to get more information on my latest book:
    Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
    and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
    -----------------------------------------------------------------------------------------------------------------------

    "Ganesh" <> wrote in message
    news:...
    > Hi There,
    >
    > What's the better way to follow when we use sql
    > string sql = "Inset into table(f1,f2) values (@f1, @f2)";
    >
    > then add and passing parameters or in the first place itselef assign the
    > values to the string
    > string sql = "Inset into table(f1,f2) values (" + tbName.text + ", " +
    > tbCity.Text +");";
    >
    > Thanks
    >
    > Ganesh
    >
    >
    >
    >
    >
     
    William Vaughn, Jul 30, 2007
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill

    Insert Command Best Approach

    Bill, May 26, 2004, in forum: Microsoft ADO .NET
    Replies:
    2
    Views:
    219
    William Ryan eMVP
    May 26, 2004
  2. Guest
    Replies:
    9
    Views:
    244
    Sahil Malik [MVP]
    Nov 4, 2005
  3. Mr Newbie

    DataBase Centric Applications - Best Approach

    Mr Newbie, Nov 19, 2005, in forum: Microsoft ADO .NET
    Replies:
    2
    Views:
    244
    Mr Newbie
    Nov 19, 2005
  4. Guest

    Best approach, Loading Tables

    Guest, Nov 14, 2006, in forum: Microsoft ADO .NET
    Replies:
    3
    Views:
    124
  5. Nick
    Replies:
    0
    Views:
    300
Loading...

Share This Page