Chris Locke wrote:
> From a newbie's point of view, how is this better (if doing it in 'hard
> coded' format like below) than writing this code:
>
> command.CommandText = string.format("INSERT INTO trend_data (tag_key,
> value, value_timestamp) VALUES ({0}, {1}, {2})",2,234.56,now);Using parameters is not too much of an improvement in a case like this. But when you have strings (or values that _could_ be strings because you don't completely control their source), you have to format them correctly (many people forget escaping quotes), and you run the risk of SQL injections: <http://bobby-tables.com/>. And when you already have to use parameters for any query with strings, it's a good habit to use them everywhere. Handling parameters is excessively complex in .NET. It might be a good idea to write a helper format that is as simple as format(): db.execute("INSERT INTO tab VALUES (?, ?, ?)", 123, name, now); Regards, Clemens _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
