What is benefit of using parameterized function for query?

Question

1.00/5 (1 vote)

See more:

C#

public static DataSet getDishList(int eID, string uID)
02
{
03
    const string sqlCommand = "SELECT * FROM ITSWEB_event_dish, ITSWEB_dish_type " +
04
                                "WHERE ITSWEB_event_dish.DISH_event_id = :eventID " +
05
                                    "AND ITSWEB_event_dish.DISH_uid = :userID " +
06
                                    "AND ITSWEB_event_dish.DISH_type = ITSWEB_dish_type.DISH_type";

Here i have used eID , uID but i have no idea about code efficiency .
Can anyone explain benefit of this parameterized function?

Posted 10-Jul-13 19:16pm

Member 9410081

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

zenspace · Accepted Answer · 2013-07-10T19:32:00

A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks.

http://stackoverflow.com/questions/4712037/what-is-parameterized-query[^]

_Asif_ · Accepted Answer · 2013-07-10T19:51:00

Solution 2

Check below linkes

http://codebetter.com/davidhayden/2006/01/05/parameterized-queries-and-performance/

Posted 10-Jul-13 19:51pm

_Asif_

Comments

Member 9410081 11-Jul-13 3:25am

Thanks.

Thanks7872 · Accepted Answer · 2013-07-10T19:57:00

-When you use parameterized query,it need only parse and check the syntax of the query the first time it is executed. So long as the SQL statement being executed is unchanged, excluding the values of the parameters, subsequent executions do not need parsing and syntax checking.

-Also, upon repeated execution of a parameterized query, only the parameter values need to be sent to the server. The remainder of the query does not, having already been sent during a previous execution.

-If you use parameterized query,you can get measurable performance impact of using it versus dynamic SQL.

-It plays important role as per as SQL Injection attacks are concerned.

:doh:[Update]:

Why parameterized queries stop SQL injection attacks?[^]

Regards.. :laugh:

What is benefit of using parameterized function for query?

3 solutions

Solution 1

Solution 2

Solution 3

Add your solution here

Preview 0