C# ADO Executing Stored Procedure Problem

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

C# ADO Executing Stored Procedure Problem

Message

From

19/01/2009 15:52:00

Naomi Nosonovsky
Wisconsin, United States

19/01/2009 15:22:49

Kevin Marois
Marois Consulting
Winchester, California, United States

General information

Forum:

ASP.NET

Category:

Coding, syntax and commands

Title:

Re: C# ADO Executing Stored Procedure Problem

Miscellaneous

Thread ID:

01374697

Message ID:

01375247

Views:

You should not if you want to avoid SQL injection attacks.

>Ok, I see.
>
>But could you not just do:
>
>

>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( '" + sValue1 + "','" + sValue2 + "' )";
>sc.ExecuteNonQuery();
>

>
>once for each new row in the DS?
>
>
>
>
>>>Now I'm confused.
>>>
>>>You have:
>>
>>
>>>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( @xyz, @abc )"; >>>sc.Parameters.Clear(); >>>sc.Parameters.Add("@xyz", Row["xyz"]); >>>sc.Parameters.Add("@abc", Row["abc"]); >>>sc.ExecuteNonQuery(); >>
>>
>>>You could just as easily do:
>>
>>>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( @xyz, @abc )"; >>>sc.ExecuteNonQuery(); >>
>>
>>>So what do the parameters do?
>>
>>
>>
>>Think about what you just wrote Kevin. What good is
>>

>>"Insert into bob (xyz, abc) VALUES ( @xyz, @abc )";
>>

>>
>>when @xyz and @abc aren't defined as anything?!?!?
>>
>>That's what this does, defines and adds the parameters to the Command object:
>>
>>

>>sc.Parameters.Clear();
>>sc.Parameters.Add("@xyz", Row["xyz"]);
>>sc.Parameters.Add("@abc", Row["abc"]);
>>

>>
>>~~Bonnie

If it's not broken, fix it until it is.

My Blog

Map

View

Click here to load this message in the networking platform