Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Documentation
Message
De
17/11/2006 12:13:21
Keith Payne
Technical Marketing Solutions
Floride, États-Unis
 
 
À
17/11/2006 11:02:04
Daniel Vargas
Ing. Sistemas
Bogotá, Colombie
Information générale
Forum:
ASP.NET
Catégorie:
Autre
Titre:
Re: Documentation
Divers
Thread ID:
01170722
Message ID:
01170750
Vues:
11
>Hi
>
>I need a favor , where I see what's the advantages and disadvantages to use Sqlparameters and send the string
>
>Ex:
>
>select * from tbale where cod=1000
>
>and
>
>select * from tbla where code=@Number
>
>Thanks

Advantages:

Prevents one form of SQL injection attack.
If the query is part of a stored procedure, using parameters allows the query optimizer to cache the execution plan which saves the compilation time for subsequent executions.

Disadvantages:

When different parameter values can change the size of the result set by a large factor, the cached execution plan may not be the most efficient execution plan.
e.g.
select * from tblA where ((@Number is null) or (code = @Number))
If the preceding code is called with @Number = 12554, one row is returned. If tblA contains 13M rows, then calling with @Number = null returns all 13M rows.

In the first query, an index seek + bookmark lookup is optimal.
In the second query, a table scan is optimal.

If the second query runs with the first query's execution plan, it would likely increase the run time by 500% or more.

**** None of this matters if you are using CommandText. The only consideration with CommandText is the security that you get using parameters.
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform