12 Sep
2006
12 Sep
'06
12:26 p.m.
Scott Meyers wrote :
An example: System.Data.SqlClient.SqlParameter is a class that describes a bound parameter used in a database statement. Bound parameters are essential to prevent SQL injection attacks. They should be exceedingly easy to use since the "competition" (string concatenation of parameters into the SQL statement) is easy, well understood, and dangerous.
You can construct safe SQL queries with streams or printf-like syntax easily sql << "select first_name, last_name, date_of_birth " "from persons where id = " << id No need to put objects everywhere that complexify everything.