hard quetion parameter

[ucasesoftware]

I have this :

dim cmd as new sqlcommand("Insert into (value1, value2) VALUES
(@value1, @value2)", myConnexion)
with cmd
..parameters.add("@value1", sqldbtype.nvarchar, 50).value = "me"
..parameters.add("@value2", sqldbtype.nvarchar, 50).value = "you"
end cmd

Is it possible now to have a string like with a property of cmd ?

insert into(value1,value2) VALUES ('me', 'you') ?

 

[Cor Ligthert [MVP]]

Hi,

Your first method is recomended both should work fine. If your parameter is
fixed than I see no reason why not to do it in the second way. I read often
here to prevent SQL insertions, however that is AFAIK if you have not added
the SQL2000 server SP3.

I am not complete sure of the last.

Cor

 

[ucasesoftware]

no you don't undestand what i want

i do the first method

but i want to store the real one in a Array (to update another
database)

so i use always

dim cmd as new sqlcommand("Insert into (value1, value2) VALUES
(@value1, @value2)", myConnexion)
with cmd
..parameters.add("@value1", sqldbtype.nvarchar, 50).value = "me"
..parameters.add("@value2", sqldbtype.nvarchar, 50).value = "you"
end cmd


but after i do this i want to have it in a single string to store it in
a array

undertand ?

 

[Jevon]

If the parameters are always fixed, then no you shouldn't be susceptible to
Injection attacks. However, it's good practise to always use parameters (or
stored procedures) anyway.

Have a read of http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
for more information.

Jevon

 

[Andrew Morton]

no you don't undestand what i want

i do the first method

but i want to store the real one in a Array (to update another
database)

so i use always

dim cmd as new sqlcommand("Insert into (value1, value2) VALUES
(@value1, @value2)", myConnexion)
with cmd
.parameters.add("@value1", sqldbtype.nvarchar, 50).value = "me"
.parameters.add("@value2", sqldbtype.nvarchar, 50).value = "you"
end cmd


but after i do this i want to have it in a single string to store it
in a array

undertand ?

dim cmd as new sqlcommand("Insert into (value1, value2) VALUES (@value1,
@value2)", myConnexion)

dim s as string=cmd.CommandText
cmd.parameters.add("@value1", sqldbtype.nvarchar, 50).value = "me"
s.Replace("@value1", "'" & "me" & "'")
cmd.parameters.add("@value2", sqldbtype.nvarchar, 50).value = "you"
s.Replace("@value2", "'" & "you" & "'")

String s now contains "Insert into (value1, value2) VALUES ('me', 'you')"

But then you lose the safety of a parameterized query when you update the
other database.

If you're storing it in an array, you might as well store enough information
to be able to use a parameterized query again.

Andrew

 

[ucasesoftware]

In other words, sqlUpdateCommand1.CommandText simply returns the sql
command
without the parameter values. Is there a way to see the sql statement
with
the parameter values once the parameters have been populated?