Give me parameterized SQL, or give me death

Jeff Atwood

26 Apr 2005 — 1 min read — Comments

I have fairly strong feelings when it comes to the stored procedures versus dynamic SQL argument, but one thing is clear: you should never, ever use concatenated SQL strings in your applications. Give me parameterized SQL, or give me death. There are two good reasons you should never do this.

First, consider this naive concatenated SQL:

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x';

Code like this opens your app to SQL injection attacks, and it’s a huge, gaping vulnerability. Steve Friedl’s SQL Injection Attacks by Example provides an excellent visual blow-by-blow of what can happen when you write code this naive. Here’s the Reader’s Digest version:

SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x' OR full_name LIKE '%Bob%';

I know what you’re thinking. No, escaping the strings doesn’t protect you; see Steve’s article.

Second, parameterized SQL performs better. A lot better. Consider the parameterized version of the above:

SqlConnection conn = new SqlConnection(_connectionString);
conn.Open();
string s = "SELECT email, passwd, login_id, full_name " +
"FROM members WHERE email = @email";
SqlCommand cmd = new SqlCommand(s);
cmd.Parameters.Add("@email", email);
SqlDataReader reader = cmd.ExecuteReader();

This code offers the following pure performance benefits:

Fewer string concatenations
No need to worry about any kind of manual string escaping
A more generic query form is presented to db, so it’s likely already hashed and stored as a pre-compiled execution plan
Smaller strings are sent across the wire

Non-parameterized SQL is the GoTo statement of database programming. Don’t do it, and make sure your coworkers don’t either.

Welcome to The Internet of Compromised Things

This post is a bit of a public service announcement, so I’ll get right to the point: Every time you use WiFi, ask yourself: could I be connecting to the Internet through a compromised router with malware? It’s becoming more and more common to see malware installed not

Computer Crime, Then and Now

I’ve already documented my brief, youthful dalliance with the illegal side of computing as it existed in the late 1980s. But was it crime? Was I truly a criminal? I don’t think so. To be perfectly blunt, I wasn’t talented enough to be any kind of threat.

I Was a Teenage Hacker

Twenty-four years ago today, I had a very bad day. On August 8, 1988, I was a senior in high school. I was working my after school and weekend job at Safeway as a cashier, when the store manager suddenly walked over and said I better stop ringing up customers

Make Your Email Hacker Proof

It’s only a matter of time until your email gets hacked. Don’t believe me? Just read this harrowing cautionary tale. When [my wife] came back to her desk, half an hour later, she couldn’t log into Gmail at all. By that time, I was up and looking

Recent Posts

The Road Not Taken is Guaranteed Minimum Income

The dream is incomplete until we share it with our fellow Americans.

Let's Talk About The American Dream

A few months ago I wrote about what it means to stay gold — to hold on to the best parts of ourselves, our communities, and the American Dream itself. But staying gold isn’t passive. It takes work. It takes action. It takes hard conversations that ask us to confront

Stay Gold, America

We are at an unprecedented point in American history, and I'm concerned we may lose sight of the American Dream.

The Great Filter Comes For Us All

With a 13 billion year head start on evolution, why haven’t any other forms of life in the universe contacted us by now? (Arrival is a fantastic movie. Watch it, but don’t stop there – read the Story of Your Life novella it was based on for so much

I’m feeling unlucky... 🎲 See All Posts

Related posts

Recent Posts