我通常写我的SQL为使在.NET
I typically write my SQL as so in .NET
sql.Append("SELECT id, code, email FROM mytable WHERE variable = @variable ");
然后做这样的事情:
Then do something like this:
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings[ConfigurationManager.AppSettings["defaultConnection"]].ConnectionString))
{
using (SqlCommand myCommand = new SqlCommand(sql.ToString(), conn))
{
myCommand.Parameters.AddWithValue("@variable", myVariableName");
...
不过,我也应该这样做addParameter的时候,我得到了数据直接来自数据库,像这样?
But should I also do this addParameter when the data I got comes directly from the database like so?
likesql.Append(string.Format("SELECT group_id, like_text FROM likeTerms ORDER BY group_id ASC "));
DataTable dtLike = SqlHelper.GetDataTable(likesql.ToString());
foreach (DataRow dr in dtLike)
{
buildsql.Append(".... varId = " + dr["group_id"].ToString() + "...");
...
这是可以接受的?什么是最好的做法?
Is this acceptable? What is best practice?
有人可以用有限的数据库访问直接注入到其他地方的一个领域?
Can someone with limited database access inject directly into a field used elsewhere?
此外,它有助于提高性能。高速缓存的执行计划,将忽略该参数的值,这意味着你的每次参数变化重新编译查询可以节省服务器。
Also, it helps performance. Cached execution plans will disregard the value of the parameter, meaning you're saving the server from recompiling the query every time the parameters change.