RE: Syntax error in insert statement?

---

• From: dkocur <dkocur@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 18 Apr 2005 12:51:02 -0700

---

Josh, Thanks for the reply. The ? are placeholders for parameters. There
are numerous reasons for using parameters instead of building the string as
you mention. I'll give you two:

1. Security. It prevents a SQL injection attack.
2. I don't have to format strings such as this one to insert them. (Note
the apostrophe in the word don't.)

I've managed to get it to work using named parameters, but I'd prefer to use
unnamed parameters to maximize performance.

"Josh Hawley" wrote:

> I'm not sure why you are putting question marks in there...
> I usually use a stringbuilder to make my queries, it helps alot...
> escpecially when the queries get really long and complex (i have some that
> are 4 pages long). something like this:
>
> string viewID="1";
> string name="Josh";
> string namespace="namespace";
>
> StringBuilder query=new StringBuilder();
> query.AppendFormat("insert into BusDataObject (View_ID, Name, NameSpace)
> Values ('{0}', '{1}', '{2}')", viewID, name, namespace);
> // the {0} inserts the value into the string
> // it is important to have single quotes around any string values to prevent
> them from running too long
>
>
>
> "dkocur" wrote:
>
> > "insert into BusDataObject (View_ID, Name, NameSpace) Values (?, ?, ?);"
> >
> > results in "Incorrect syntax near '?'."
> >
> > I'm using C# Express Beta 1 with SQL Server. I know it has to be something
> > simple, but I just can't figure it out.
.

---

• Follow-Ups:
  • RE: Syntax error in insert statement?
    • From: Josh Hawley

• References:
  • Syntax error in insert statement?
    • From: dkocur
  • RE: Syntax error in insert statement?
    • From: Josh Hawley

• Prev by Date: Re: client side cursor vs server side cursor regarding memory used
• Next by Date: Re: client side cursor vs server side cursor regarding memory used
• Previous by thread: RE: Syntax error in insert statement?
• Next by thread: RE: Syntax error in insert statement?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: StreamReader - ReadLine ... Thanks a lot Josh. ... The file was indeed Unix and I was able to import it the ... >>load every line in a string. ... >>there is a strange character that looks like a square and I cannot even ... (microsoft.public.dotnet.languages.vb) Re: Hex2Bin in VB ... for Negative numbers the results are not similar to ATP's Dec2Bin.. ... results are leftpadded with 0s to multiples of 4 ... Function IntToBinAs String ... >>> Josh ... (microsoft.public.excel.programming) Re: Passing a string from a C DLL to VB ... I'm making a Win32 DLL ... Josh ... > VB does not work with simple null-terminated character arrays. ... A BSTR consists of a pointer to a Unicode string, ... (microsoft.public.vc.language) RE: System info in header/footer. ... Sorry Josh, I am not sure how to get a "list of attributes" for a .dll file. ... You may want ot check the MS website. ... >> Function ReturnUserName() As String ... >> Function ReturnComputerNameAs String ... (microsoft.public.excel.programming) RE: System info in header/footer. ... Josh, if you don't like the uppercase names, just change: ... >> Function ReturnUserName() As String ... >> Function ReturnComputerNameAs String ... (microsoft.public.excel.programming)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Data  > microsoft.public.data.ado  > 2005-04