Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
CrazyT
Yak Posting Veteran
73 Posts |
 Posted - 2010-06-22 : 14:04:55
|
| kind of a .net/sql questionconverting some old code from 1.1 to 3.5i noticed that they are sending all the sql statement like the followingsp_name 'value1', 'value2', 'value3'it works but i have never seen it like this. ive always done sql parametersany issues with the above method |
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2010-06-23 : 02:12:37
|
| We'd need some more info to give a 100% accurate answer but passing parameters using .Add(... is ALWAYS the best. If the procedure call is formatted like a regular inline sql query (string myQuery = @"Select * from table") or a strigbuilder or something you'll be vulnerable to sql injection and also might be a victim of inefficient code (recompiles).If it's not too much of a hassle you should change them all to sql parameters.- LumbagoMy blog (yes, I have a blog now! just not that much content yet) -> www.thefirstsql.com |
 |
|
|
CrazyT
Yak Posting Veteran
73 Posts |
Posted - 2010-06-24 : 14:05:06
|
| Im going to switch it to sql parameters. thanks |
|
|
|
|
|
|
pass paramter to sql sp