What is a "query parameter" in C++?

Question

Hi,

We were using stringstream to prepare select queries in C++. But we were strongly advised to use QUERY PARAMETERS to submit db2 sql queries to avoid using of stringstream. Can anyone share what exactly meant by query parameter in C++? Also, share some practical sample code snippets.

Appreciate the help in advance.

Edit: It is stringstream and not strstream.

Thanks, Mathew Liju

Answer 1

I suspect this refers to parameterized queries in general, rather than constructing the query in a string, they supply sql variables (or parameters) and then pass those variables separately. These are much better for handling SQL Injection Attacks. To illustrate with an example:

"SELECT * FROM Customers WHERE CustomerId = " + _customerId;

Is bad, while this:

"SELECT * FROM Customers where CustomerId = @CustomerId"

is good. The catch is that you have to add the parameters to the query object (I don't know how this is done in C++.

References to other questions:

• http://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
• http://stackoverflow.com/questions/230668/stored-procedures-vs-parameterized-queries

Wild Wild Web:

• http://www.justsoftwaresolutions.co.uk/database/database-tip-use-parameterized-queries.html

Answer 2

Sql query in parameterized query form is safe than string format to avoid sql injection attack. Example of parameterized query

StringBuilder sqlstr = new StringBuilder();  
cmd.Parameters.AddWithValue("@companyid", CompanyID);  
sqlstr.Append("SELECT evtconfigurationId, companyid, 
  configname, configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid=@companyid ");

Example of query string format

StringBuilder sqlstr = new StringBuilder();   
sqlstr.Append("SELECT evtconfigurationId, companyid, configname, 
   configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid" +  CompanyID);