Coming from an ASP background, doing this is dangerous, as the quoted value would normally be replaced with "id = '" + ID.Text + "'. This can easily be attacked with SQL Injection, whereas parameterised queries are nowhere near as vulnerable.
Best regards, Dave Colliver. http://www.BrightonFOCUS.com ~~ http://www.FOCUSPortals.com - Local franchises available ----- Original Message ----- From: "John Wilson" <[EMAIL PROTECTED]> To: <delphi-db@elists.org> Sent: Thursday, January 25, 2007 4:12 PM Subject: Re: ASP.NET / ADO.NET query parameters by name > >> Hello everyone. >> >> I'm learning ASP.NET and in the process I need to learn ADO.NET; The >> syntax for defining and using a SQL query that makes use of parameters >> seems really difficult to me, so I hope I'm actually missing something. >> >> This is what I'm doing now: >> >> procedure Test; >> var X:FbCommand; >> begin >> X := FbCommand.Create('SELECT * FROM TAB WHERE ID=?', Connection, >> Transaction); >> X.Parameters.Add('', DbType.&String).Value := '7'; >> X.ExecuteReader; // etc >> end; >> >> This is strange to me because it forces me to use "?" marks for >> parameters (difficult to maintain) and it forces me to refer to those >> parameters by POSITION (difficult to maintain). In the Win32 world I >> would have used named parameters and that's really easy to maintain. >> >> Am I missing something? I sure hope I'm missing something... >> >> Thanks, >> Cosmin Prund > > > Hi Cosmin, > > Hopefully I didn't miss the point of your question, but is there a > reason you can't just say > > X := FbCommand.Create('SELECT * FROM TAB WHERE ID=''7''', Connection, > Transaction); > > (not the use of the double "'" around the thing you are looking for). > > I use Firebird quite extensively in a number of C# projects, and in the > beginning I battled with parameters too. Now it doesn't appear as if > they are often necessary as long as you "quote" your values and criteria > properly. > > Hope that helps? > > John. > > _______________________________________________ > Delphi-DB mailing list > Delphi-DB@elists.org > http://www.elists.org/mailman/listinfo/delphi-db _______________________________________________ Delphi-DB mailing list Delphi-DB@elists.org http://www.elists.org/mailman/listinfo/delphi-db
