Your opinion about stored procedures

[mono]

I agree with nic and patrice. I'd advise further that you use the Command
object and avoid ALL SQL building in ASP. Not only is this often faster but
more importantly it protects you to some extent from SQL injection.

michael

"VB Programmer" <growNO-SPAM@go-intech.com> wrote in message
news:OFJL7sCBDHA.1604@TK2MSFTNGP10.phx.gbl...

> Starting a new ASP.NET web app. What is your opinion. Should I used

stored

> procedures for ALL the SQL statements in my app? Or should I use inline

sql

> (or another method) for simple SELECT queries, etc...
>
> Thanks,
> Robert
>
>

[David Waz...]

Stored procedure is my vote -
Remember to use Parameters collection, and not just tacking your parameters
behind an EXEC statement, otherwise you still have 100% of the injection
problem.

Also, Windows CE - Cannot really use storedprocedures, but I've been placing
my local sql statements into XML files, and created a wrapper class to help
aviod the injection problem, and to make updates much easier.

"mono" <mikeg@n_o_s_p_a_mcimage.com> wrote in message
news:ueSRPwjQDHA.3880@tk2msftngp13.phx.gbl...

> I agree with nic and patrice. I'd advise further that you use the Command
> object and avoid ALL SQL building in ASP. Not only is this often faster

but

> more importantly it protects you to some extent from SQL injection.
>
> michael
>
> "VB Programmer" <growNO-SPAM@go-intech.com> wrote in message
> news:OFJL7sCBDHA.1604@TK2MSFTNGP10.phx.gbl...

> > Starting a new ASP.NET web app. What is your opinion. Should I used

> stored

> > procedures for ALL the SQL statements in my app? Or should I use inline

> sql

> > (or another method) for simple SELECT queries, etc...
> >
> > Thanks,
> > Robert
> >
> >

>
>
>

[Ray Dixon [MVP]]

Hi Robert,

I agree with what Patrice and Nic wrote. Also, something to consider is the
possiblity of adding a Win Forms client to your app in the future - for
administration and/or users. Having your data access separated from
everything else makes it much easier to do this. ;-)


--
Ray Dixon - Microsoft MVP
[email]ray@NOSPAM.greeble.com[/email]
(remove NOSPAM. from my e-mail address for a direct reply)




"VB Programmer" <growNO-SPAM@go-intech.com> wrote in message
news:OFJL7sCBDHA.1604@TK2MSFTNGP10.phx.gbl...

> Starting a new ASP.NET web app. What is your opinion. Should I used

stored

> procedures for ALL the SQL statements in my app? Or should I use inline

sql

> (or another method) for simple SELECT queries, etc...
>
> Thanks,
> Robert
>
>

[Peter Gossmann]

Hi Robert!
I would strongly recommend to have a look at the Data Access Block
from Microsoft. The SQl helper class provides easy access to stored
procedures and allows you to call them without having to bother with
parameters.

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/daab-rm.asp[/url]

We used the SQLHelper and extended it, so that it also handles Typed
Datasets etc.

We use only StoredProcedures. With this we try to encapsulate the
database and have a cleaner DataAccessLayer. Our DBA is reviewing the
StoredProcs without having to dig into the .Net programm code.

Hope this helps
Peter