What is a "query parameter" in C ++?
We used stringstream to prepare selected C ++ queries. But we are strongly advised to use QUERY PARAMETERS to send db2 sql queries to avoid using stringstream. Can anyone share what exactly is meant by a query parameter in C ++? Also, share some practical code snippets examples.
Appreciate help in advance.
Edit: This is a string stream, not a stream.
Thanks, Matthew Liju
source to share
I suspect this is about parameterized queries in general, not building the query in a string, they supply sql variables (or parameters) and then pass those variables separately. It is much better for handling SQL injection. To illustrate with an example:
"SELECT * FROM Customers WHERE CustomerId = " + _customerId;
Bad, but this:
"SELECT * FROM Customers where CustomerId = @CustomerId"
it's good. The trick is that you need to add parameters to the request object (I don't know how this is done in C ++.
Links to other questions:
- https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
- Stored procedures versus parameterized queries
Wild Wild Web:
source to share
Sql query in parameterized query form is safer than string format to avoid SQL injection attack. Example of a parameterized query
StringBuilder sqlstr = new StringBuilder();
cmd.Parameters.AddWithValue("@companyid", CompanyID);
sqlstr.Append("SELECT evtconfigurationId, companyid,
configname, configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid=@companyid ");
Example query string format
StringBuilder sqlstr = new StringBuilder();
sqlstr.Append("SELECT evtconfigurationId, companyid, configname,
configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid" + CompanyID);
source to share