Parameter Direction Question

Question

1.00/5 (1 vote)

See more:

Hi
I have a simple query which is :

SQL

SELECT fullname FROM usersAccount WHERE username = @usr AND passwrd = @pwd;

Does It required to used ParameterDirection.Input for better Query ? Am just curious about using ParameterDirection on non-stored Query if theirs some sort of Improvement/Coding Quality.

SQL

cmd.Parameters.Add("@usr", SqlDbType.VarChar, 20, ParameterDirection.Input).Value = Me.txtUserName.Text
cmd.Parameters.Add("@pw", SqlDbType.BigInt, 15, ParameterDirection.Input).Value = Me.txtPassword.Text</pre>

Posted 24-Sep-13 8:29am

iMaker.ph

Updated 24-Sep-13 8:38am

Richard C Bishop

v3

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2013-09-24T08:37:00

No. The easiest way to do this is just to say:

VB

cmd.Parameters.AddWithValue("@usr", txtUserName.Text)
cmd.Parameters.AddWithValue("@pw", txtPassword.Text)

But please don't do that! Storing passwords in clear text is a horrible security risk. See here: Password Storage: How to do it.[^] - it's in C#, but the code is pretty much identical in VB.

"I thought that using

VB

cmd.Parameter.add("pwd",SqlDbType.BigInt, 15).Value

is better than AddWithValue due to it can strict the Type/Length of the Input"

It can, yes. And that's a problem!

When you use the Add method with a text string and specify the length, the Add method truncates the string to the length you specify, without telling you. So if you specify a string length of 20 characters and your user enters a 100 character comment, 80 characters will be discarded and you don't know. Worse - your user doesn't know and is instead assured that the database was updated correctly.
If you use AddWithValue, the whole string is passed through, and SQL will refuse to enter it and throw an exception back to your code - so you can tell the user there is a problem!

There is also the fun and games of changes to the DB needing to be reflected in the code and so forth, but throwing away user data without anyone knowing is much, much worse - because it is unfixable (the data can't be recovered) and that erodes user confidence in the system as a whole.

And still don't save passwords in clear text!