Why we do SQLiteCommand, Parameters.add while we can use string.Format to compose sql statement?

I saw in many tutorial that compose sql statement by using variable and Parameters.Add likt this

public void updateStudent(String @studentID, String @firstName, String @lastName)
{
    SQLiteCommand command = conn.CreateCommand();
    command.CommandText = "UPDATE Students SET firstName = @firstName, lastName = @lastName WHERE studentID = @studentID";
    command.Parameters.Add(new SQLiteParameter("@studentID", @studentID));
    command.Parameters.Add(new SQLiteParameter("@firstName", @firstName));
    command.Parameters.Add(new SQLiteParameter("@lastName" , @lastName));
    command.ExecuteNonQuery();
}

why don't we use 

string.Format("Update Students SET firstName = '{0}', lastName = '{1}...", @firstName, @lastname)

any benefit??

Jon Skeet
people
quotationmark

Four reasons:

  • Avoiding SQL injection attacks
  • Avoiding problems with strings containing genuine apostrophes with no intention of causing a SQL injection attack (e.g. a last name of "O'Reilly"
  • Avoiding string unnecessary conversions, which can cause failures for cultural reasons (e.g. the difference between "1.23" and "1,23" depending on your culture
  • Keeping the code (SQL) and the data (parameters) separate for cleaner readability

Also note:

  • This isn't SQLite specific. It's best practice for all databases.

  • You don't need to use @ as a prefix to your variables unless they're keywords. So it would be more idiomatic to write:

    command.Parameters.Add(new SQLiteParameter("@lastName", lastName));

    (Ditto for the method parameter declarations to start with... but not the parameters inside the SQL statement.)

people

See more on this question at Stackoverflow