Description:
This property is very similar to the
CommandText property, but it takes parameters (for large objects for example). Each parameter in the SQL prepared query must contain a question mark '?' instead of the actual parameter. For example "select * from my_table where my_field like 'some_text'" will become "select * from my_table where my_field like ?" (no quotes). But BEFORE of that, you must call
AddParameter function to add parameters to the prepared SQL query.
This method is recommended over the
CommandText version for:
- inserting data into a table (in case the user is an attacker)
- adding data to a table, where at least one field is inserted by the user (in case the user is an attacker)
- performing a search (select), where at least one criteria is inserted directly by the user (in case the user is an attacker)
- working with large fields (LOB)
If no parameter is provided, this property acts exactly like
CommandText.