c# - Benefits of use parameters instead of concatenation

Question

Welcome To Ask or Share your Answers For Others

c# - Benefits of use parameters instead of concatenation

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

c# - Benefits of use parameters instead of concatenation

I am new to ASP.NET and C# programming.

I would like to know what is the difference and advantages plus disadvantages of using parameters instead of concatenation in SQL statements, as I heard that it is a better way to prevent SQL injection(?)

Below are sample INSERT statements which I have changed from using concatenation to parameters:

Concatenation:

string sql = string.Format("INSERT INTO [UserData] (Username, Password, ...) VALUES ('" + usernameTB.Text + "', '" + pwTB.Text + "',...);

Parameters:

cmd.CommandText = "INSERT INTO [UserData] (Username, Password, ...) VALUES (@Username, @Password, ...)";

cmd.Parameters.AddWithValue("Username", usernameTB.Text);
cmd.Parameters.AddWithValue("Password", pwTB.Text);

Thank you in advance for any knowledge provided.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T21:28:53+0000

Safety. Concatenation opens you up to SQL-injection, especially when TB stands for Textbox. (Obligatory XKCD cartoon)
Type safety. You solve a lot of DateTime and number formatting issues.
Speed. The query does not change all the time, the system(s) may be able to re-use a query handle.

Categories

c# - Benefits of use parameters instead of concatenation

c# - Benefits of use parameters instead of concatenation

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags