Home/ Questions/Q 8872347
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T18:12:03+00:00

I typically write my SQL as so in .NET sql.Append(SELECT id, code, email FROM

  • 0

I typically write my SQL as so in .NET

sql.Append("SELECT id, code, email FROM mytable WHERE variable = @variable ");

Then do something like this:

using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings[ConfigurationManager.AppSettings["defaultConnection"]].ConnectionString))
{
    using (SqlCommand myCommand = new SqlCommand(sql.ToString(), conn))
    {
        myCommand.Parameters.AddWithValue("@variable", myVariableName");
        ...

But should I also do this addParameter when the data I got comes directly from the database like so?

likesql.Append(string.Format("SELECT group_id, like_text FROM likeTerms ORDER BY group_id ASC "));

DataTable dtLike = SqlHelper.GetDataTable(likesql.ToString());

foreach (DataRow dr in dtLike)
{
    buildsql.Append(".... varId = " + dr["group_id"].ToString() + "...");

    ...

Is this acceptable? What is best practice?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should always use parameters:

    • Where are the values in your database coming from?
    • Can you trust, in your example, that ‘group_id’ wasn’t modified to be something you’re not expecting?

    Trust noone

    Can someone with limited database access inject directly into a field used elsewhere?

    Performance

    Also, it helps performance. Cached execution plans will disregard the value of the parameter, meaning you’re saving the server from recompiling the query every time the parameters change.

    • 0