>Hi
>
>I need a favor , where I see what's the advantages and disadvantages to use Sqlparameters and send the string
>
>Ex:
>
>select * from tbale where cod=1000
>
>and
>
>select * from tbla where code=@Number
>
>Thanks
Advantages:
Prevents one form of SQL injection attack.
If the query is part of a stored procedure, using parameters allows the query optimizer to cache the execution plan which saves the compilation time for subsequent executions.
Disadvantages:
When different parameter values can change the size of the result set by a large factor, the cached execution plan may not be the most efficient execution plan.
e.g.
select * from tblA where ((@Number is null) or (code = @Number))
If the preceding code is called with @Number = 12554, one row is returned. If tblA contains 13M rows, then calling with @Number = null returns all 13M rows.
In the first query, an index seek + bookmark lookup is optimal.
In the second query, a table scan is optimal.
If the second query runs with the first query's execution plan, it would likely increase the run time by 500% or more.
**** None of this matters if you are using CommandText. The only consideration with CommandText is the security that you get using parameters.