Browse All Articles > PAEVISS – Programmers Against Embedded Values In SQL Statements
First there was
PAFSO – Programmers Against the File System Object
Then there was PAUES – Programmers Against the Use of the End Statement
Now Experts Exchange brings you PAEVISS - Programmers Against Embedded Values In SQL Statements
With ADO.NET there is sometimes a need to insert, update or query the database using a command object.
You may notice that this looks similar to the syntax that is used for stored procedures. In fact, the use of parameters can have an effect at the server level to increase execution plan reuse, and thus boost performance slightly. (However, if your SQL Server database has forced parameterization, then every query submitted to the database is compiled with parameters.)
There are so many benefits, and so few drawbacks, that I recommend parameterized queries as a best practice. Avoid the messy, dangerous practice of embedding values into SQL command strings.
Then there was PAUES – Programmers Against the Use of the End Statement
Now Experts Exchange brings you PAEVISS - Programmers Against Embedded Values In SQL Statements
With ADO.NET there is sometimes a need to insert, update or query the database using a command object.
Using Connection As SqlConnection = New SqlConnection(ConnectionString)
Connection.Open()
Dim CmdText As String = "INSERT INTO [Person] (FirstName, LastName) " & _
"VALUES ('" & txtFirstname.Text & "', '" & txtLastname.Text & ")"
Using cmd As SqlCommand = New SqlCommand(CmdText, Connection)
cmd.ExecuteNonQuery()
End Using
Connection.Close()
End Using
If either of the textbox values contains an apostrophe, then it requires escaping by doubling up.
By entering SQL statements in the textboxes, a user could perform a
SQL injection attack.
Values such as numbers and dates will be coerced into strings, which are subject to culture rules, which can cause problems. For example, there is always much confusion over which date string format is used when sending dates to SQL server using formatted strings. The US format of MM/dd/yyyy will often cause confusion in environments expecting a little endian date format (dd/MM/yyyy.)
Instead, let's look at how you can use
parameterized queries.
Using Connection As SqlConnection = New SqlConnection(ConnectionString)
Connection.Open()
Dim CmdText As String = "INSERT INTO [Person] (FirstName, LastName) " & _
"VALUES (@lastname, @firstname)"
Using cmd As SqlCommand = New SqlCommand(CmdText, Connection)
With cmd.Parameters
.AddWithValue("@lastname", txtLastname.Text)
.AddWithValue("@firstname", txtFirstname.Text)
End With
cmd.ExecuteNonQuery()
End Using
Connection.Close()
End Using
You may notice that this looks similar to the syntax that is used for stored procedures. In fact, the use of parameters can have an effect at the server level to increase execution plan reuse, and thus boost performance slightly. (However, if your SQL Server database has forced parameterization, then every query submitted to the database is compiled with parameters.)
There are so many benefits, and so few drawbacks, that I recommend parameterized queries as a best practice. Avoid the messy, dangerous practice of embedding values into SQL command strings.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (3)
Commented:
I can't read about SQL Injection without thinking of...
A database guru or geek will,
Say: No DBA elsewhere's my equal.
I can easily handle
a "Bobby'; DROP TABLE" vandal,
'cuz I always escape all my SQL!
But parameterizing the input trumps escaping it, every time ;-)
Author
Commented:Commented: