What is the best way for passing parameters to select command?

orenr · Jul 20, 2006

Hi

We have a web site for 100 users using SQL Server.
In our DAL all the selections when we need to pass parameters are using
the SqlCommand and they are something like:

SqlCommand com = new SqlCommand();
com.Connection = MyConnection;
com.Transaction = MyTransaction;
com.CommandText = ""SELECT CustomerID, CompanyName FROM Customers "

+ "WHERE Country = "+ MyCountryVal.ToString() + " AND City = "
+ MyCityVal;
dataReader = com.ExecuteReader();

I want to know if in this kind of commads i will have performace
issues?
Does it better to pass the parameters to the SqlCommand with the
SqlCommand.Parameters command as follow:

command.CommandText =
"SELECT CustomerID, CompanyName FROM Customers "
+ "WHERE Country = @Country AND City = @City";
command.Parameters.Add(paramArray);

for (int j=0; j<paramArray.Length; j++)
{
command.Parameters.Add(paramArray[j]) ;
}

Thanks in advance.
Oren.

Karl Seguin [MVP] · Jul 20, 2006

It's better 'cuz it's about 100000x more secure. Performance isn't an issue
either way.

Karl

Karl Seguin [MVP] · Jul 20, 2006

Err...the command.Parameters is better is what i mean

karl

paul.thomas · Jul 20, 2006

Convert your command into a stored procedure and then pass in
parameters.

If you have optional parameters e.g Search on First name or Last name
you can change you
SQL like this.

CREATE PROCEDURE spgUser
{
@firstName nvarchar(50) = null,
@lastName nvarchar(50) = null
}
AS

SELECT

userID

FROM

userTable

WHERE

(@firstName IS NULL OR firstName = @firstName )
AND
(@lastName IS NULL OR lastName = @lastName)

This will also allow this procedure to bring back ALL users if no
params are passed.
If you don't want that simply do an IF test for both being null at the
start or put that
logic in you code.

Hope this helps.

Err...the command.Parameters is better is what i mean

karl

--
http://www.openmymind.net/
http://www.codebetter.com/

Hi

We have a web site for 100 users using SQL Server.
In our DAL all the selections when we need to pass parameters are using
the SqlCommand and they are something like:

SqlCommand com = new SqlCommand();
com.Connection = MyConnection;
com.Transaction = MyTransaction;
com.CommandText = ""SELECT CustomerID, CompanyName FROM Customers "

+ "WHERE Country = "+ MyCountryVal.ToString() + " AND City = "
+ MyCityVal;
dataReader = com.ExecuteReader();

I want to know if in this kind of commads i will have performace
issues?
Does it better to pass the parameters to the SqlCommand with the
SqlCommand.Parameters command as follow:

command.CommandText =
"SELECT CustomerID, CompanyName FROM Customers "
+ "WHERE Country = @Country AND City = @City";
command.Parameters.Add(paramArray);

for (int j=0; j<paramArray.Length; j++)
{
command.Parameters.Add(paramArray[j]) ;
}

Thanks in advance.
Oren.

Click to expand...

Mark Rae · Jul 20, 2006

WHERE
(@firstName IS NULL OR firstName = @firstName )
AND
(@lastName IS NULL OR lastName = @lastName)

I find the following much easier to read:

WHERE
firstName = COALESCE(@firstName, firstName)
AND
lastName = COALESCE(@lastName, lastName)

Paul · Jul 20, 2006

Agreed but is there a performance hit?

When we initially went for the solution I wrote many queries like this

(@firstName = firstName OR @firstName IS NULL )

This is ALOT slower than

( @firstName IS NULL OR .....

When @firstName is indeed NULL.

Mark Rae · Jul 20, 2006

Agreed but is there a performance hit?

I don't know - is there...?

When we initially went for the solution I wrote many queries like this

(@firstName = firstName OR @firstName IS NULL )

This is ALOT slower than

( @firstName IS NULL OR .....

When @firstName is indeed NULL.

OK - I'll have to take your word for that, as I've never benchmarked it.

Thanks for the tip.

Karl Seguin [MVP] · Jul 20, 2006

Yes, there is a performance tip...and putting it in a sproc isn't
necessarily the best answer.

While I'm a big fan of sprocs (really big), they aren't any more secure, and
most developers don't realize that in many cases, they can run considerably
slower than inline SQL.

I disagree wth the blanket statement of putting it in an sproc - though I do
agree that it should be considered.

Karl

Karl Seguin [MVP] · Jul 20, 2006

*tip* --> *hit*

--
http://www.openmymind.net/
http://www.fuelindustries.com/

"Karl Seguin [MVP]" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME
net> wrote in message news:[email protected]...

JT · Jul 21, 2006

I agree with you. However, some people might point out that an
advantage of stored procedures is that they can be modified without a
code recompile. That may or may not be a concern. I haven't found
that to be a high priority and like the inline parameter approach.

JT

A better way to add a row to a gridview	0	May 1, 2007
Not able to page datagrid within the datalist	3	Oct 13, 2004
What is the best way to pass a user identity between serveral ASP.NET web sites?	6	Aug 22, 2003
Use the DataList Control to Present and Edit Data PART 2	0	Dec 7, 2003
Redirect Problem	0	Sep 19, 2005

What is the best way for passing parameters to select command?

orenr

Karl Seguin [MVP]

Karl Seguin [MVP]

paul.thomas

Mark Rae

Paul

Mark Rae

Karl Seguin [MVP]

Karl Seguin [MVP]

JT

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads