Is there a difference re-writing the query without prefix N and without single quotes on query parametrized

Question

I have query previously was name=N'hook' then was changed to name=@name these changes was made in order to avoid sql injection, I think in the new code is missing the single quotes and the prefix N, but I'm not sure.

//OLD CODE with prefix N, the param is wrapped in single quotes
var schemaName = "";
...
var command = new SqlCommand("SELECT schema_id FROM sys.schemas WHERE name = N'" + schemaName + "')";

//OLD CODE without prefix N, the param is wrapped in single quotes
var schemaName = "";
...
var command = new SqlCommand("SELECT schema_id FROM sys.schemas WHERE name = '" + schemaName + "')";


//NEW CODE
var schemaName = "";
...
var command = new SqlCommand("SELECT schema_id FROM sys.schemas WHERE name = @schemaName");
    command.Parameters.Add(new SqlParameter("@schemaName", schemaName));

Your new code is correct, although I suggest you specify the parameter data type and length explicitly, you can do it nice and short like this: `command.Parameters.Add("@schemaName", SqlDbType.NVarChar, 128).Value = schemaName;` — Charlieface, Jun 09 '21 at 10:46

Is there a difference re-writing the query without prefix N and without single quotes on query parametrized

0 Answers0