InfoWorld

Named Parameters for PreparedStatement

The problems with PreparedStatement stem from its syntax for parameters. Parameters are anonymous and accessed by index as in the following: PreparedStatement p = con.prepareStatement("select * from ...
Ars Technica

.NET SqlParameter.. single quotes not escaped???

I have an app that's been deployed a while and today I get some complaint that it's crashing. So I go and investigate and narrow down the problem to a single quote that is finding it's way into a sql ...