05-21-2009, 10:38 AM
stevegula Wrote:Or filter the user input before you use it... which is mainly what a parameterized query is doing for you.sure, multiple ways to skin a cat. IMO its a pain in the ass, you are duplicating code, and you always run the risk of missing something or having bugs in your code. Im a lazy programmer so I love to reuse good tested code that makes my life easier.
instead of rewriting all of his DB queries he could just filter all of his post/get data before using it.
With parameterized queries you also get other benefits such as performance, and you are properly keeping data layer code out of your presentation layer.
IMO its a lot easier and quicker to convert a concatted query into a parameterized query than it is to write messy input validation.