Hi There,

What's the better way to follow when we use sql
string sql = "Inset into table(f1,f2) values (@f1, @f2)";

then add and passing parameters or in the first place itselef assign the
values to the string
string sql = "Inset into table(f1,f2) values (" + tbName.text + ", " +
tbCity.Text +");";

Thanks

Ganesh

* Ganesh wrote, On 29-7-2007 13:31:

add and passing parameters is the only way to go. You'll be vulnerable
to all kinds of security issues otherwise. (read up on SQL Injection).

Jesse

The best approach is to use parameters--unless you're adding a lot of rows.
In this case SqlBulkCopy is far better.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant, Dad, Grandpa
Microsoft MVP
INETA Speaker
www.betav.com
www.betav.com/blog/billva
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
-----------------------------------------------------------------------------------------------------------------------

"Ganesh" <gsganesh (AT) yahoo (DOT) com> wrote