I was browsing through the questions and noticed this:
SELECT prodid, issue
FROM Sales
WHERE custid = @custid
AND datesold = SELECT MAX(datesold)
FROM Sales s
WHERE s.prodid = Sales.prodid
AND s.issue = Sales.issue
AND s.custid = @custid
I was wondering what the "@" does in front of custID? Is it just a way of referencing the custID from the table being selected?
This question is related to
sql
The @CustID means it's a parameter that you will supply a value for later in your code. This is the best way of protecting against SQL injection. Create your query using parameters, rather than concatenating strings and variables. The database engine puts the parameter value into where the placeholder is, and there is zero chance for SQL injection.
What you are talking about is the way a parameterized query is written. '@' just signifies that it is a parameter. You can add the value for that parameter during execution process
eg:
sqlcommand cmd = new sqlcommand(query,connection);
cmd.parameters.add("@custid","1");
sqldatareader dr = cmd.executequery();
@ is used as a prefix denoting stored procedure and function parameter names, and also variable names
Its a parameter the you need to define. to prevent SQL Injection you should pass all your variables in as parameters.
You may be used to MySQL's syntax: Microsoft SQL @ is the same as the MySQL's ?
@ followed by a number is the parameters in the order they're listed in a function.
@ is used as a prefix denoting stored procedure and function parameter names, and also variable names
@ followed by a number is the parameters in the order they're listed in a function.
publish data where stoloc = 'AB143'
|
[select prtnum where stoloc = @stoloc]
This is how the @ works.
@ is used as a prefix denoting stored procedure and function parameter names, and also variable names
You may be used to MySQL's syntax: Microsoft SQL @ is the same as the MySQL's ?
Its a parameter the you need to define. to prevent SQL Injection you should pass all your variables in as parameters.
What you are talking about is the way a parameterized query is written. '@' just signifies that it is a parameter. You can add the value for that parameter during execution process
eg:
sqlcommand cmd = new sqlcommand(query,connection);
cmd.parameters.add("@custid","1");
sqldatareader dr = cmd.executequery();
publish data where stoloc = 'AB143'
|
[select prtnum where stoloc = @stoloc]
This is how the @ works.
What you are talking about is the way a parameterized query is written. '@' just signifies that it is a parameter. You can add the value for that parameter during execution process
eg:
sqlcommand cmd = new sqlcommand(query,connection);
cmd.parameters.add("@custid","1");
sqldatareader dr = cmd.executequery();
Its a parameter the you need to define. to prevent SQL Injection you should pass all your variables in as parameters.
You may be used to MySQL's syntax: Microsoft SQL @ is the same as the MySQL's ?
Source: Stackoverflow.com