On Feb 5, 2011, at 12:33, Sibylle Koczian <Sibylle.Koczian@t- online.de> wrote:
> Parameters are for > values and only for values, but they are the strongly recommended > method > for them (quoting and SQL injections are the main reasons, I think). > > Right or wrong? Right! It is considered bad practice to put the parameters into the SQL string due to the possibility of SQL injection. Sometimes you have to, like with table names, unfortunately, but you work with what you've got. Also, by passing the paramters to the adapter, you are letting the adapter do the heavy lifting of formatting them correctly, resulting in simpler code on your end. Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/dabo-users Searchable Archives: http://leafe.com/archives/search/dabo-users This message: http://leafe.com/archives/byMID/[email protected]
