>
>Thank you for the explanation. Do I understand correctly that when you use the "?parameter" approach you are not opening database to the public? And when you are sending a SQL string to be executed on the server, you are?
Yes, with parameter approach your calls are immune to attack. With string building approach you let people to be able to do anything that connected user could do (like querying sensitive data, deleting tables, ...).
Cetin