What is passing parameters to SQL and why do I need it?

c# asp.net sql sql-server stored-procedures

Passing parameters to SQL saves you from having to build a dynamic SQL string.

Building dynamic SQL statements is a HUGE security risk because people can inject their own SQL code into your application, possibly executing undesirable commands against your data.

There are some good samples of possible SQL Injection attacks at:

SQL Injection Attacks by Example

There are two ways of passing parameters to SQL statements. One is to use Stored Procedures like you mentioned. The other is to use parameterized queries (which is actually what I prefer).

A parameterized query is actually quite easy in .NET:

using(SqlConnection conn = new SqlConnection(connString))
{
    SqlCommand command = 
        new SqlCommand("SELECT * FROM Users WHERE Username = @Username", conn);

    command.Parameters.Add(new SqlParameter("@Username", "Justin Niessner"));

    SqlDataAdapter adapter = new SqlDataAdapter(command);
    DataTable dt = new DataTable();

    adapter.Fill(dt);
}

In that example, the parameter was @Username and we used the Parameters collection of the SqlCommand object to pass in the value.


It'll protect you from little Bobby Tables.

http://xkcd.com/327/


Here is an example:

        SqlConnection myConn = new SqlConnection("my connection string");

        SqlCommand myCmd = new SqlCommand("myStoredProcName", myConn);

        myCmd.CommandType = CommandType.StoredProcedure;

        myCmd.Parameters.AddWithValue("@cGroupID", 0).Direction = ParameterDirection.InputOutput;
        myCmd.Parameters.AddWithValue("@gType", "C");
        myCmd.Parameters.AddWithValue("@requirement", "Y");
        myCmd.Parameters.AddWithValue("@usercode", "XX");

        myConn.Open();
        myCmd.ExecuteNonQuery();

        int covID = (int)myCmd.Parameters["@cGroupID"].Value;

Using Parameters is a good way to prevent some errors, and help stop injection vectors. It also allows OUTPUT parameters, as in the example above where cGroupID comes back with a value that I can access.


The primary issue with simply concatenating strings is that it often leaves you vulnerable to SQL Injection attacks.

Google SQL Injection or read here.

Related

Valid JAR signature for JavaFX projects
How to provide pagination support to a JTable in Swing?
Subsetting a data frame based on contents of another data frame
How to parse very huge XML Files in C#? [duplicate]
call function inside $sce.trustAsHtml() string in Angular js
Out-of-order execution vs. speculative execution
Android - How to Enable Autostart option programmatically in Xiaomi devices?
How to deal with Microsoft and Google agressive spam policies?
Can not stop tzdata asking for user input during docker-compose build
How to implement INotifyPropertyChanged in Xamarin.Forms
Find files across all drives using Powershell
Sysadmin related Twitter tags [closed]