>>
>>Thank you for the explanation. Do I understand correctly that when you use the "?parameter" approach you are not opening database to the public? And when you are sending a SQL string to be executed on the server, you are?
>
>Yes, with parameter approach your calls are immune to attack. With string building approach you let people to be able to do anything that connected user could do (like querying sensitive data, deleting tables, ...).
>Cetin


You are still sending open SQL statements across to the SQL server. The fact that you add the date to the command via parameter or straight text doesn't change the string you are sending to the server does it? It is still a raw SQL command.

AFAIK to prevent SQL injection, the idea is to NOT send raw SQL commands to the server - Instead call stored procedures and send parameters - the hacker does not see database structure that way.