Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Documentation
Message
From
17/11/2006 12:13:21
Keith Payne
Technical Marketing Solutions
Florida, United States
 
 
To
17/11/2006 11:02:04
Daniel Vargas
Ing. Sistemas
Bogotá, Colombia
General information
Forum:
ASP.NET
Category:
Other
Title:
Re: Documentation
Miscellaneous
Thread ID:
01170722
Message ID:
01170750
Views:
10
>Hi
>
>I need a favor , where I see what's the advantages and disadvantages to use Sqlparameters and send the string
>
>Ex:
>
>select * from tbale where cod=1000
>
>and
>
>select * from tbla where code=@Number
>
>Thanks

Advantages:

Prevents one form of SQL injection attack.
If the query is part of a stored procedure, using parameters allows the query optimizer to cache the execution plan which saves the compilation time for subsequent executions.

Disadvantages:

When different parameter values can change the size of the result set by a large factor, the cached execution plan may not be the most efficient execution plan.
e.g.
select * from tblA where ((@Number is null) or (code = @Number))
If the preceding code is called with @Number = 12554, one row is returned. If tblA contains 13M rows, then calling with @Number = null returns all 13M rows.

In the first query, an index seek + bookmark lookup is optimal.
In the second query, a table scan is optimal.

If the second query runs with the first query's execution plan, it would likely increase the run time by 500% or more.

**** None of this matters if you are using CommandText. The only consideration with CommandText is the security that you get using parameters.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform