The main reason you should parameterise queries is to protect against "SQL injection". "Hardcoded" as below doesn't make much difference, but if the data being used comes in any way from an "untrusted" source, then this is particularly important. If, instead of "234.56" below a malicious user could arrange to pass something like "2, '14/3/2017'); drop trend_data" then horrible things might happen! Using parameters stops this, because no (SQL) parsing of the parameter value happens. Graham.
Sent from my Samsung Galaxy S7 - powered by Three -------- Original message --------From: Chris Locke <[email protected]> Date: 14/03/2017 06:52 (GMT+00:00) To: SQLite mailing list <[email protected]> Subject: Re: [sqlite] How to use parameterized queries in SQLite.Net From a newbie's point of view, how is this better (if doing it in 'hard coded' format like below) than writing this code: command.CommandText = string.format("INSERT INTO trend_data (tag_key, value, value_timestamp) VALUES ({0}, {1}, {2})",2,234.56,now); I can sort of understand it if its in a subroutine, and I appreciate the example given was just an example, but whats the advantage of parametized queries? Sorry if diverting the topic somewhat.... _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
