B
Bryan Ax
DataTable Select filters seem really nifty - I can now use some basic
SQL to query these things, rather than having to go to the database
each time for some queries.
However, the down-side of them is I feel like I'm writing inline SQL
again - getting away from one of the biggest advantages of stored
procedures, where I don't have to escape single quotes, be as worried
about SQL injection attacks, etc.
For instance, let's say I want to ensure a particular value is unique
before trying to insert it into the database (or datatable).
I now need to escape single quotes again - this feels like the early
days of my own programming experience, where I would do inline SQL and
all its evils with string escaping instead of using a stored procedure
parameter list. I understand the advantage is that I don't NEED to go
to the database, but is it really more efficient to do lots of string
character replacement before calling the DataTable.Select() command?
For instance, let's say I want name to be unique. So, from input on a
form, I get a name value.
string myname = this.SomeInputControl.Text;
//find if it exists in the datatable.
DataRow[] dr = DataTable1.Select(name=' + myname + "'");
That would die if quotes are typed in. So now I need to work around
that again. Before DataSets and DataTables, I would just call a stored
procedure passing it the name...
What am I missing? I have been taught that DataSets are wonderful
because you reduce the number of times you go to the database. But at
the same time, having to go back to a syntax that looks a lot like
inline SQL, where logic is now in the application, gives me a bit of a
scare...
Any thoughts appreciated.
Sincerely,
Bryan
SQL to query these things, rather than having to go to the database
each time for some queries.
However, the down-side of them is I feel like I'm writing inline SQL
again - getting away from one of the biggest advantages of stored
procedures, where I don't have to escape single quotes, be as worried
about SQL injection attacks, etc.
For instance, let's say I want to ensure a particular value is unique
before trying to insert it into the database (or datatable).
I now need to escape single quotes again - this feels like the early
days of my own programming experience, where I would do inline SQL and
all its evils with string escaping instead of using a stored procedure
parameter list. I understand the advantage is that I don't NEED to go
to the database, but is it really more efficient to do lots of string
character replacement before calling the DataTable.Select() command?
For instance, let's say I want name to be unique. So, from input on a
form, I get a name value.
string myname = this.SomeInputControl.Text;
//find if it exists in the datatable.
DataRow[] dr = DataTable1.Select(name=' + myname + "'");
That would die if quotes are typed in. So now I need to work around
that again. Before DataSets and DataTables, I would just call a stored
procedure passing it the name...
What am I missing? I have been taught that DataSets are wonderful
because you reduce the number of times you go to the database. But at
the same time, having to go back to a syntax that looks a lot like
inline SQL, where logic is now in the application, gives me a bit of a
scare...
Any thoughts appreciated.
Sincerely,
Bryan