The main reason you should parameterise queries is to protect against "SQL 
injection".  "Hardcoded" as below doesn't make much difference, but if the data 
being used comes in any way from an "untrusted" source, then this is 
particularly important.
If, instead of "234.56" below a malicious user could arrange to pass something 
like "2, '14/3/2017'); drop trend_data" then horrible things might happen!
Using parameters stops this, because no (SQL) parsing of the parameter value 
happens.
Graham. 


Sent from my Samsung Galaxy S7 - powered by Three
-------- Original message --------From: Chris Locke <sql...@chrisjlocke.co.uk> 
Date: 14/03/2017  06:52  (GMT+00:00) To: SQLite mailing list 
<sqlite-users@mailinglists.sqlite.org> Subject: Re: [sqlite] How to use 
parameterized queries in SQLite.Net 
From a newbie's point of view, how is this better (if doing it in 'hard
coded' format like below) than writing this code:

command.CommandText = string.format("INSERT INTO trend_data (tag_key,
value, value_timestamp) VALUES ({0}, {1}, {2})",2,234.56,now);

I can sort of understand it if its in a subroutine, and I appreciate the
example given was just an example, but whats the advantage of parametized
queries?

Sorry if diverting the topic somewhat....
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to