Click here to Skip to main content
14,865,310 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
public static DataSet getDishList(int eID, string uID)
    const string sqlCommand = "SELECT * FROM ITSWEB_event_dish, ITSWEB_dish_type " +
                                "WHERE ITSWEB_event_dish.DISH_event_id = :eventID " +
                                    "AND ITSWEB_event_dish.DISH_uid = :userID " +
                                    "AND ITSWEB_event_dish.DISH_type = ITSWEB_dish_type.DISH_type";

Here i have used eID , uID but i have no idea about code efficiency .
Can anyone explain benefit of this parameterized function?

A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks.[^]
Member 9410081 11-Jul-13 3:25am
-When you use parameterized query,it need only parse and check the syntax of the query the first time it is executed. So long as the SQL statement being executed is unchanged, excluding the values of the parameters, subsequent executions do not need parsing and syntax checking.

-Also, upon repeated execution of a parameterized query, only the parameter values need to be sent to the server. The remainder of the query does not, having already been sent during a previous execution.

-If you use parameterized query,you can get measurable performance impact of using it versus dynamic SQL.

-It plays important role as per as SQL Injection attacks are concerned.


Why parameterized queries stop SQL injection attacks?[^]

Regards.. :laugh:
Member 9410081 11-Jul-13 3:25am

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900