What does the "@" symbol do in SQL?

Question

I was browsing through the questions and noticed this:

SELECT prodid, issue
FROM Sales 
WHERE custid = @custid 
AND datesold = SELECT MAX(datesold) 
             FROM Sales s 
             WHERE s.prodid = Sales.prodid
                  AND s.issue = Sales.issue
                  AND s.custid = @custid

I was wondering what the "@" does in front of custID? Is it just a way of referencing the custID from the table being selected?

Is there an official document on this? @ can be used to declare @variable. And also there are some built-in variable like @@ERROR, @@trancount. — ROROROOROROR, May 02 '18 at 03:14

score 79 · Accepted Answer · edited Dec 12 '08 at 04:29

79

The @CustID means it's a parameter that you will supply a value for later in your code. This is the best way of protecting against SQL injection. Create your query using parameters, rather than concatenating strings and variables. The database engine puts the parameter value into where the placeholder is, and there is zero chance for SQL injection.

edited Dec 12 '08 at 04:29

Jonathan Leffler

730,956
141
904
1,278

answered Dec 12 '08 at 03:05

Kibbee

65,369
27
142
182

ZERO? Really? 'SELECT * FROM TABLEn WHERE ID = ' & @Kibbee – Dec 16 '08 at 16:07
10

@Mark: Could you explain how that's a valid SQL injection attempt? As far as I can see, it would error out if sent to SqlServer. – Michael Todd Jul 27 '09 at 18:47
6

The reason that there is no possibility of SQL injection is that the `@CustID ` is replaced with a string. When that database receives one of these variables it knows not to escape the variable for anything inside of it. – Patrick548 Nov 29 '12 at 19:01
Using concatenation of strings for an sql query, you say could lead to sql injection problems. However, if it's used in the api(public/private) that's consumed by your own dev team,, then that should not be a problem right?? – Eswar Oct 01 '18 at 10:43
@Kibbee, so do I have to use @? if we get rid of @, then custid is still a variable name? – Feb 28 '19 at 02:59

score 36 · Answer 2 · answered Dec 12 '08 at 03:04

36

@ is used as a prefix denoting stored procedure and function parameter names, and also variable names

answered Dec 12 '08 at 03:04

Steven A. Lowe

60,273
18
132
202

score 4 · Answer 3 · answered Dec 12 '08 at 03:07

4

You may be used to MySQL's syntax: Microsoft SQL @ is the same as the MySQL's ?

answered Dec 12 '08 at 03:07

ine

14,014
8
55
80

score 3 · Answer 4 · edited Apr 24 '23 at 22:46

3

It's a parameter that you need to define. To prevent SQL injection, you should pass all your variables as parameters.

edited Apr 24 '23 at 22:46

nullromo

2,165
2
18
39

answered Dec 12 '08 at 03:05

bendewey

39,709
13
100
125

score 2 · Answer 5 · answered Dec 12 '08 at 05:24

What you are talking about is the way a parameterized query is written. '@' just signifies that it is a parameter. You can add the value for that parameter during execution process

eg:
sqlcommand cmd = new sqlcommand(query,connection);
cmd.parameters.add("@custid","1");
sqldatareader dr = cmd.executequery();

score 0 · Answer 6 · edited Jul 30 '12 at 20:04

0

publish data where stoloc = 'AB143' 
|
[select prtnum where stoloc = @stoloc]

This is how the @ works.

edited Jul 30 '12 at 20:04

Tisho

8,320
6
44
52

answered Jul 30 '12 at 19:34

marc

1

7

In your answer give more details explaining how the `@` works. – JSK NS Oct 11 '12 at 11:45

score 0 · Answer 7 · answered Jul 26 '17 at 06:28

0

@ followed by a number is the parameters in the order they're listed in a function.

answered Jul 26 '17 at 06:28

ZeroPhase

649
4
21

Can give an example please? – Lucas Vazquez Nov 17 '19 at 03:26

What does the "@" symbol do in SQL?

7 Answers7

Linked

Related