Parameters

--____YQDEHJGDEEXNVAEPSDFB____
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Why should we use the parameter object when it seems like duplicated code. =
The info is described in SQL Server as int, varchar, etc. so why do we =
have to redundantly use the parameter object when inserting a record =
rather than passing the parameter in an SQL query insert code? Just =
curious???

--____YQDEHJGDEEXNVAEPSDFB____
Content-Type: multipart/related; boundary="____BUYAVGJDUGVQCUVJQAVX____"

--____BUYAVGJDUGVQCUVJQAVX____
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"=
>
<META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>Why should we use the parameter object when it seems like duplicated =
code.  The info is described in SQL Server as int, varchar, etc. so =
why do we have to redundantly use the parameter object when inserting a =
record rather than passing the parameter in an SQL query insert code? =
Just curious???</DIV></BODY></HTML>

--____BUYAVGJDUGVQCUVJQAVX____--

--____YQDEHJGDEEXNVAEPSDFB____--

Miha
Tue Mar 07 07:50:42 CST 2006

This is a multi-part message in MIME format.

------=_NextPart_000_0398_01C641F6.81B6F810
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Sql Injection, formatting problems (what is the decimal delimiter?, what =
is the date format)...

--=20
Miha Markic [MVP C#]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/
"Shawn Thompson" <SFergus2@cscc.edu> wrote in message =
news:%23j9Gk0eQGHA.3460@TK2MSFTNGP15.phx.gbl...
Why should we use the parameter object when it seems like duplicated =
code. The info is described in SQL Server as int, varchar, etc. so why =
do we have to redundantly use the parameter object when inserting a =
record rather than passing the parameter in an SQL query insert code? =
Just curious???
------=_NextPart_000_0398_01C641F6.81B6F810
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma" =
bgColor=3D#ffffff>
<DIV><FONT face=3DArial>Sql Injection, formatting problems (what is the =
decimal=20
delimiter?, what is the date format)...</FONT></DIV>
<DIV><FONT face=3DArial><BR>-- <BR>Miha Markic [MVP C#]<BR>RightHand =
.NET=20
consulting & development <A=20
href=3D"http://www.rthand.com">www.rthand.com</A><BR>Blog: <A=20
href=3D"http://cs.rthand.com/blogs/blog_with_righthand/">http://cs.rthand=
.com/blogs/blog_with_righthand/</A></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Shawn Thompson" <<A=20
href=3D"mailto:SFergus2@cscc.edu">SFergus2@cscc.edu</A>> wrote in =
message <A=20
=
href=3D"news:%23j9Gk0eQGHA.3460@TK2MSFTNGP15.phx.gbl">news:%23j9Gk0eQGHA.=
3460@TK2MSFTNGP15.phx.gbl</A>...</DIV>
<DIV>Why should we use the parameter object when it seems like =
duplicated=20
code.  The info is described in SQL Server as int, varchar, etc. =
so why=20
do we have to redundantly use the parameter object when inserting a =
record=20
rather than passing the parameter in an SQL query insert code?  =
Just=20
curious???</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0398_01C641F6.81B6F810--

W
Tue Mar 07 13:39:33 CST 2006

This is a multi-part message in MIME format.

------=_NextPart_000_0175_01C641F4.F32FCE60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

There are many reasons if I understand your question correctly:

1- Parameter Direction. Using inline sql without parameters you would =
have a difficult time retrieving output parameters for instance. And =
using Output params and return values can be very beneficial to =
performance
2- Security. You can use UI elements to help safeguard against =
Injection attacks (for instance, only allowing 10 character passwords to =
be entered and not allowing statements like "Drop" or any other =
potentially mischevious stuff). However, Microsoft has already done this =
with parameters. There's nothing wrong with enacting such measures on =
your own as an additional safeguard and in fact you probably should, but =
by using parameters you get an added layer of security in that you don't =
have to worry about covering every possible situation. In fact, even =
knowing every possible attack can be quite difficult. And while i'm not =
saying that every possible scenario is necessarily covered by using=20
3- It indicates your intentions of the code much more clearly.

As far as performance, I've heard that even if you don't specify =
precision, for instance you use

cmd.Parameters.Add("@myParam").Value =3D whatever ;

that you don't lose performance if you're using sql server b/c it's very =
efficient in this respect but i havent ever confirmed this personally.

all in all though, it's worth it. sometime down the road you're going =
to get a name like O'Ryan that you forgot to escape and it'll cause =
some problems. and even if you always remember to escape them, some =
other developer will forget or not know and at that point, the customer =
will have already seen the problem. plus injection attacks are one thing =
that most people know about and in a security audit, it'll be one of the =
first things that's tried - and if they can inject something in there in =
an audit, you're going to look bad no matter what you're reason is. all =
in all you get a lot of bang for the buck here.
"Shawn Thompson" <SFergus2@cscc.edu> wrote in message =
news:%23j9Gk0eQGHA.3460@TK2MSFTNGP15.phx.gbl...
Why should we use the parameter object when it seems like duplicated =
code. The info is described in SQL Server as int, varchar, etc. so why =
do we have to redundantly use the parameter object when inserting a =
record rather than passing the parameter in an SQL query insert code? =
Just curious???
------=_NextPart_000_0175_01C641F4.F32FCE60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma" =
bgColor=3D#ffffff>
<DIV><FONT face=3DArial>There are many reasons if I understand your =
question=20
correctly:</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><FONT face=3DArial>1- Parameter Direction.  Using inline sql =
without=20
parameters you would have a difficult time retrieving output parameters =
for=20
instance.  And using Output params and return values can be very =
beneficial=20
to performance</FONT></DIV>
<DIV><FONT face=3DArial>2- Security.  You can use UI elements to =
help=20
safeguard against Injection attacks (for instance, only allowing 10 =
character=20
passwords to be entered and not allowing statements like "Drop" or any =
other=20
potentially mischevious stuff). However, Microsoft has already done this =
with=20
parameters.  There's nothing wrong with enacting such measures on =
your own=20
as an additional safeguard and in fact you probably should, but by using =

parameters you get an added layer of security in that you don't have to =
worry=20
about covering every possible situation.  In fact, even knowing =
every=20
possible attack can be quite difficult.  And while i'm not saying =
that=20
every possible scenario is necessarily covered by using </FONT></DIV>
<DIV><FONT face=3DArial>3- It indicates your intentions of the code much =
more=20
clearly.</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><FONT face=3DArial>As far as performance, I've heard that even if =
you don't=20
specify precision, for instance you use</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><FONT face=3DArial>cmd.Parameters.Add("@myParam").Value =3D =
whatever=20
;</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><FONT face=3DArial>that you don't lose performance if you're using =
sql server=20
b/c it's very efficient in this respect but i havent ever confirmed this =

personally.</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><FONT face=3DArial>all in all though, it's worth it.  sometime =
down the=20
road you're going to get  a name like O'Ryan that you forgot to =
escape and=20
it'll cause some problems. and even if you always remember to escape =
them, some=20
other developer will forget or not know and at that point, the customer =
will=20
have already seen the problem. plus injection attacks are one thing that =
most=20
people know about and in a security audit, it'll be one of the first =
things=20
that's tried - and if they can inject something in there in an audit, =
you're=20
going to look bad no matter what you're reason is.  all in all you =
get a=20
lot of bang for the buck here.</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Shawn Thompson" <<A=20
href=3D"mailto:SFergus2@cscc.edu">SFergus2@cscc.edu</A>> wrote in =
message <A=20
=
href=3D"news:%23j9Gk0eQGHA.3460@TK2MSFTNGP15.phx.gbl">news:%23j9Gk0eQGHA.=
3460@TK2MSFTNGP15.phx.gbl</A>...</DIV>
<DIV>Why should we use the parameter object when it seems like =
duplicated=20
code.  The info is described in SQL Server as int, varchar, etc. =
so why=20
do we have to redundantly use the parameter object when inserting a =
record=20
rather than passing the parameter in an SQL query insert code?  =
Just=20
curious???</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0175_01C641F4.F32FCE60--

n4ixt
Sat Mar 11 08:59:24 CST 2006

One other reason that hasn't been mentioned yet: Avoiding confusion when a
string field contains a single quote mark.

When you pass in a field, say a last name of O'Reilly for example, creating
a sql command would amount to:
select * from employee where last name = 'O'Reilly'

As you can see, the ' after the O will confuse the database. Passing in
O'Reilly as a parameter avoids this headache, and you don't have to write a
lot of code to check for ' inside your passed in strings.

Robert

"Shawn Thompson" <SFergus2@cscc.edu> wrote in message
news:%23j9Gk0eQGHA.3460@TK2MSFTNGP15.phx.gbl...
Why should we use the parameter object when it seems like duplicated code.
The info is described in SQL Server as int, varchar, etc. so why do we have
to redundantly use the parameter object when inserting a record rather than
passing the parameter in an SQL query insert code? Just curious???

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Parameters

Re: Parameters by Miha

Re: Parameters by W

Re: Parameters by n4ixt