tags:

views:

3593

answers:

6

I was browsing through the questions and noticed this:

SELECT prodid, issue FROM Sales WHERE custid = @custid AND datesold = SELECT MAX(datesold) FROM Sales s WHERE s.prodid = Sales.prodid AND s.issue = Sales.issue AND s.custid = @custid

I was wondering what the "@" does in front of custID? Is it just a way of referencing the custID from the table being selected?

+12  A: 

@ is used as a prefix denoting stored procedure and function parameter names, and also variable names

Steven A. Lowe
+6  A: 

The @CustID means it's a parameter that you will supply a value for later in your code. This is the best way of protecting against SQL injection. Create your query using parameters, rather than concatenating strings and variables. The database engine puts the parameter value into where the placeholder is, and there is zero chance for SQL injection.

Kibbee
@Mark: Could you explain how that's a valid SQL injection attempt? As far as I can see, it would error out if sent to SqlServer.
Michael Todd
A: 

Its a parameter the you need to define. to prevent SQL Injection you should pass all your variables in as parameters.

bendewey
+1  A: 

You may be used to MySQL's syntax: Microsoft SQL @ is the same as the MySQL's ?

amdfan
A: 

So would you set what @custID's value is inside this select query or before you do the query?

SET @custID = '1';

Something like that?

Levi
If the SQL is a stored procedure, you would set it before the query. The details for this are language \ platform specific.If it is a pure query you would have to define the variable and then set it: DECLARE @custID int SET @custID = 1;
Anthony K
+1  A: 

What you are talking about is the way a parameterized query is written. '@' just signifies that it is a parameter. You can add the value for that parameter during execution process

eg:
sqlcommand cmd = new sqlcommand(query,connection);
cmd.parameters.add("@custid","1");
sqldatareader dr = cmd.executequery();
Samiksha