views:

441

answers:

2

Hi,

We were using stringstream to prepare select queries in C++. But we were strongly advised to use QUERY PARAMETERS to submit db2 sql queries to avoid using of stringstream. Can anyone share what exactly meant by query parameter in C++? Also, share some practical sample code snippets.

Appreciate the help in advance.

Edit: It is stringstream and not strstream.

Thanks, Mathew Liju

+3  A: 

I suspect this refers to parameterized queries in general, rather than constructing the query in a string, they supply sql variables (or parameters) and then pass those variables separately. These are much better for handling SQL Injection Attacks. To illustrate with an example:

"SELECT * FROM Customers WHERE CustomerId = " + _customerId;

Is bad, while this:

"SELECT * FROM Customers where CustomerId = @CustomerId"

is good. The catch is that you have to add the parameters to the query object (I don't know how this is done in C++.

References to other questions:

Wild Wild Web:

vfilby
+1  A: 

Sql query in parameterized query form is safe than string format to avoid sql injection attack. Example of parameterized query

StringBuilder sqlstr = new StringBuilder();  
cmd.Parameters.AddWithValue("@companyid", CompanyID);  
sqlstr.Append("SELECT evtconfigurationId, companyid, 
  configname, configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid=@companyid ");

Example of query string format

StringBuilder sqlstr = new StringBuilder();   
sqlstr.Append("SELECT evtconfigurationId, companyid, configname, 
   configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid" +  CompanyID);
Nakul Chaudhary
+1 for mentioning SQL injection which is the main purpose of parameterizing
Robert Gould