I can't see any benefit of not using parameters, instead varying programming style introduces several problems:
1. Program changes, while in the beginning it could be that some of the statements would only be used internally by the program, what if the design changes. You may have completely valid, reusable statement and one could use it in a place where it's run with direct user input.
2. Complexity of choice, you would always need to carefully consider where the statement is used before deciding whether to use parameters or not. I'd say this would be waste of time.
3. Need to do conversions, think about decimals, dates, times, special characters such as ' and so on. You would need to properly take all these aspects into account when building the statement. For example with my regional settings if I'd concatenate a decimal number to an SQL statement, it would fail miserably since my delimiter dfor decimals is comma.
4. Plan re-usability, when parameters are used the database can more easily use an existing execution plan. If you use literals the database may need to do optimization for each statement separately or at least do extra work to identify the statement as an existing one when literals are used. With more complex statements the amount of time wasted is significant.
5. Statement re-usability, in case you need to execute the same statement several times with different values, you can use an exiting statement and command object. Just change the values of the parameters and execute. Otherwise you would need to at least change the statement of the command and this affects client side command cache (if applicable).
As said there are several reasons why to use parameters while I cannot think of any benefits of not using parameters. So:
Resistance is futile. You will be assimilated.
:)
Submit an article or tip