tags:

views:

3593

answers:

6
+4  Q: 

What does the "@" symbol do in SQL?

I was browsing through the questions and noticed this:

SELECT prodid, issue FROM Sales WHERE custid = @custid AND datesold = SELECT MAX(datesold) FROM Sales s WHERE s.prodid = Sales.prodid AND s.issue = Sales.issue AND s.custid = @custid

I was wondering what the "@" does in front of custID? Is it just a way of referencing the custID from the table being selected?

+12  A: 

@ is used as a prefix denoting stored procedure and function parameter names, and also variable names

Steven A. Lowe  2008-12-12 03:04:14
+6  A: 

The @CustID means it's a parameter that you will supply a value for later in your code. This is the best way of protecting against SQL injection. Create your query using parameters, rather than concatenating strings and variables. The database engine puts the parameter value into where the placeholder is, and there is zero chance for SQL injection.

Kibbee  2008-12-12 03:05:13
 2008-12-16 16:07:18
@Mark: Could you explain how that's a valid SQL injection attempt? As far as I can see, it would error out if sent to SqlServer.
Michael Todd  2009-07-27 18:47:04
A: 

Its a parameter the you need to define. to prevent SQL Injection you should pass all your variables in as parameters.

bendewey  2008-12-12 03:05:23
+1  A: 

You may be used to MySQL's syntax: Microsoft SQL @ is the same as the MySQL's ?

amdfan  2008-12-12 03:07:35
A: 

So would you set what @custID's value is inside this select query or before you do the query?

SET @custID = '1';

Something like that?

Levi  2008-12-12 03:27:15
If the SQL is a stored procedure, you would set it before the query. The details for this are language \ platform specific.If it is a pure query you would have to define the variable and then set it: DECLARE @custID int SET @custID = 1;
Anthony K  2008-12-12 03:57:16
+1  A: 

What you are talking about is the way a parameterized query is written. '@' just signifies that it is a parameter. You can add the value for that parameter during execution process

eg:
sqlcommand cmd = new sqlcommand(query,connection);
cmd.parameters.add("@custid","1");
sqldatareader dr = cmd.executequery();
Samiksha  2008-12-12 05:24:25

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP