0

We were using stringstream to prepare select queries in C++. But we were strongly advised to use QUERY PARAMETERS to submit db2 sql queries to avoid using of stringstream. Can anyone share what exactly meant by query parameter in C++? Also, share some practical sample code snippets.

Appreciate the help in advance.

Edit: It is stringstream and not strstream.

Thanks, Mathew Liju

Jared
  • 8,390
  • 5
  • 38
  • 43
Liju Mathew
  • 871
  • 1
  • 18
  • 31
  • This question relates to SQL, not C++; but I'm not an SQL expert, so I'll let others actually answer the question. :-) – C. K. Young Nov 19 '08 at 04:44

2 Answers2

3

I suspect this refers to parameterized queries in general, rather than constructing the query in a string, they supply sql variables (or parameters) and then pass those variables separately. These are much better for handling SQL Injection Attacks. To illustrate with an example:

"SELECT * FROM Customers WHERE CustomerId = " + _customerId;

Is bad, while this:

"SELECT * FROM Customers where CustomerId = @CustomerId"

is good. The catch is that you have to add the parameters to the query object (I don't know how this is done in C++.

References to other questions:

Wild Wild Web:

Community
  • 1
  • 1
vfilby
  • 9,938
  • 9
  • 49
  • 62
1

Sql query in parameterized query form is safe than string format to avoid sql injection attack. Example of parameterized query 

StringBuilder sqlstr = new StringBuilder();  
cmd.Parameters.AddWithValue("@companyid", CompanyID);  
sqlstr.Append("SELECT evtconfigurationId, companyid, 
  configname, configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid=@companyid ");

Example of query string format

StringBuilder sqlstr = new StringBuilder();   
sqlstr.Append("SELECT evtconfigurationId, companyid, configname, 
   configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid" +  CompanyID);
Nakul Chaudhary
  • 25,572
  • 15
  • 44
  • 47