SQLite insert into table -> Parameter count mismatch

[jefftee]

Parameterization looks odd to me. Is there an advantage doing this or is this just a personal style thing?

There are two advantages to using parameterized queries:

1. As written, your query string is susceptible to an SQL injection issue that could be exploited by someone.

2. Improved performance. You won't notice a difference in your example, but if you were looping and inserting lots of rows with the same SQL statement using different data values, you should prepare the query outside of the loop (one time), then bind values and exec inside the loop. This allows the db engine to optimize the query when it is prepared and reduces overhead when executing the prepared query over and over again.

As you have written your example, there's really no benefit to you doing a prepare/exec since you are building the query string dynamically and only executing the prepared query once. You could just have easily passed the query string to exec and skipped the prepare. I would recommend, however, that you get used to using parameterized queries, which are more secure and offer better performance.

Good luck.

Jeff

[Lesiok]

There are two advantages to using parameterized queries:

2. Improved performance. You won't notice a difference in your example, but if you were looping and inserting lots of rows with the same SQL statement using different data values, you should prepare the query outside of the loop (one time), then bind values and exec inside the loop. This allows the db engine to optimize the query when it is prepared and reduces overhead when executing the prepared query over and over again.

If performance is important use preparing with ? char not names. This method is about 20-40% faster. This is my observation when the program copies the tens on millions of records from one database to another.