I am new to ASP.NET and C# programming.
I would like to know what is the difference and advantages plus disadvantages of using parameters instead of concatenation in SQL statements, as I heard that it is a better way to prevent SQL injection(?)
Below are sample INSERT statements which I have changed from using concatenation to parameters:
Concatenation:
string sql = string.Format("INSERT INTO [UserData] (Username, Password, ...) VALUES ('" + usernameTB.Text + "', '" + pwTB.Text + "',...);
Parameters:
cmd.CommandText = "INSERT INTO [UserData] (Username, Password, ...) VALUES (@Username, @Password, ...)";
cmd.Parameters.AddWithValue("Username", usernameTB.Text);
cmd.Parameters.AddWithValue("Password", pwTB.Text);
Thank you in advance for any knowledge provided.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…