SQL Server itself provides a model. Have your data class behave like SQL Server by accepting parameters and creating a SQL query instead of running custom GetCustomersByState methods. If your data class creates parameterized SQL commands, the users' entries are not executed and there is no SQL Injection Attack. You can also customize the SQL for any backend.

>I'm soliciting opinions on which is the better design:
>
>Create a class that acts as a tier that has methods to return all the types of data I need, such as
>'GetCustomersByState()'. This class would have the responsibility of knowing
>the data store.
>
>I could then call into this class and get back any data I need. Switching from VFP to SQL to Oracle
>would only entail modifying this class to match changes in structure on the new DB.
>
>The other option is to create stored procedures for each set of data I might need. Problem here is that
>the stored procs would need to be converted to work with the target database.
>
>Inquiring minds wanna know.