what's the best approach to follow for sql execute

[Ganesh]

Hi There,

What's the better way to follow when we use sql
string sql = "Inset into table(f1,f2) values (@f1, @f2)";

then add and passing parameters or in the first place itselef assign the
values to the string
string sql = "Inset into table(f1,f2) values (" + tbName.text + ", " +
tbCity.Text +");";

Thanks

Ganesh

 

[Jesse Houwing]

* Ganesh wrote, On 29-7-2007 13:31:

Hi There,

What's the better way to follow when we use sql
string sql = "Inset into table(f1,f2) values (@f1, @f2)";

then add and passing parameters or in the first place itselef assign the
values to the string
string sql = "Inset into table(f1,f2) values (" + tbName.text + ", " +
tbCity.Text +");";

add and passing parameters is the only way to go. You'll be vulnerable
to all kinds of security issues otherwise. (read up on SQL Injection).

Jesse

 

[William Vaughn]

The best approach is to use parameters--unless you're adding a lot of rows.
In this case SqlBulkCopy is far better.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant, Dad, Grandpa
Microsoft MVP
INETA Speaker
www.betav.com
www.betav.com/blog/billva
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)