Passing String as Parameter in SQL Query

You can either concatenate the string with the parameters, but this approach may open you for SQL injection vulnerability.

A better way is to leverage SQL query parameters.
If you use ODBC connection simply replace each parameter in the SQL query with “?”
e.g.
SELECT * FROM tblName WHERE arg1=? and arg2=?
(for SQL Server driver use SELECT * FROM tblName WHERE arg1=@param1_name and arg2=@param2_name

Then create two parameters (Name does not matter for ODBC connection) ordered as in the query.

1 Like