Chris Locke wrote:
> From a newbie's point of view, how is this better (if doing it in 'hard
> coded' format like below) than writing this code:
>
> command.CommandText = string.format("INSERT INTO trend_data (tag_key,
> value, value_timestamp) VALUES ({0}, {1}, {2})",2,234.56,now);

Using parameters is not too much of an improvement in a case like this.

But when you have strings (or values that _could_ be strings because you
don't completely control their source), you have to format them
correctly (many people forget escaping quotes), and you run the risk of
SQL injections: <http://bobby-tables.com/>.

And when you already have to use parameters for any query with strings,
it's a good habit to use them everywhere.


Handling parameters is excessively complex in .NET.  It might be a good
idea to write a helper format that is as simple as format():

  db.execute("INSERT INTO tab VALUES (?, ?, ?)", 123, name, now);


Regards,
Clemens
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to