Home/ Questions/Q 921333
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T18:51:29+00:00

What changes SqlCommand.Parameters.AddWithValue() does with the query? I expect that: It replaces every ‘

  • 0

What changes SqlCommand.Parameters.AddWithValue() does with the query?

I expect that:

  1. It replaces every ' character by '',

  2. If a parameter value is a string or something which must be converted to a string, it surrounds the value by ', so for example select * from A where B = @hello will give select * from A where B = 'hello world'.

  3. If a parameter value is something “safe” like an integer, it is inserted in a query as is, without quotes, so select * from A where B = @one would give select * from A where B = 1.

Is there any other changes I’m not aware of?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The ADO.NET SqlClient driver will not do any replacements! That’s a common misconception – it avoids the trouble of replacing anything.

    What it does is pass your query with the parameters @param1 ... @paramN straight to SQL Server, along with a collection of parameter name/value pairs. SQL Server then executes those using the sp_executesql stored proc.

    No replacements are ever done, there’s no “stringing together the complete SQL statement” on the client side – nothing like that. If that’s what the ADO.NET runtime were doing, it, too, would be very susceptible to SQL injection attacks.

    • 0