Just to add another reference:
http://xkcd.com/327/>The other advantage is that parameters prevent SQL Injection. The concatenated examples in this thread are all wide open to injection if a hacker can sneak a quote character into the parameter followed by their own SQL command that could be a SELECT * to steal your customer list or a DROP if they are malicious. You can write code to watch for quotes and other injection attempts, but using parameters makes it a complete non-event.
>
>FWIW for those who have not encountered SQL Injection, here's a simple example of concatenated SQL:
>
"SELECT * FROM members WHERE username = "'+lcusername+"'"
>If the hacker can enter their username as
bob'; DROP table members; -- then the SQL becomes
>
SELECT * FROM members WHERE username='bob'; DROP table members; --'
>and you get the idea. yes you can write code to prevent use of quote characters etc but this cannot occur at all if you use parameters.
----------------------------------
António Tavares Lopes