recommended method to add row to db

  • Thread starter Thread starter Eirik Eldorsen
  • Start date Start date
E

Eirik Eldorsen

What is the recommended method to add a row to a db? I've used the following
code since I started using ASP.NET. It's simple, but it gets very hard to
manage when the tables get big. And I have to check the inputdata for , and
'


public static int Create(int areaID, int createdByID, bool active, string
title)
{
string cmd =
@"INSERT INTO TableName(AreaID, TypeID, CreatedByID, Active, Title) " +
@"VALUES ("+areaID+", 1, " + createdByID + ", " + active + ", '" + title
+ "')";
return DBFactory.UpdateDB(cmd);
}

public static int UpdateDB(string cmd)
{
OleDbConnection connection = new
OleDbConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
connection.Open( );
OleDbCommand command = new OleDbCommand( );
command.Connection = connection;
command.CommandText = cmd;
command.ExecuteNonQuery( );
command.CommandText = "SELECT @@Identity";
int id = (int)command.ExecuteScalar();
connection.Close();
return id;
}
 
Hi Eirik,

My recommendation is that you use stored procedures on SQL Server. Stored
procedures are compiled sql, and you gain performance. Moreover by using
stored procedures you will protect yourself from sql injection attacks.
Inline sql in applications can be risky.

Regards,

Deepak
[I Code, therefore I am]
 
Thank you. I will consider your suggestion. But what I was looking for is a
way to do this with ADO.NET, without having to write SQL code. The reason
for not wanting to write SQL, is that in the project i'm starting on, the
tables will have over 50 coloumns. It will be a real pain to write SQL
insert and update statements on so large tables.


Deepak said:
Hi Eirik,

My recommendation is that you use stored procedures on SQL Server. Stored
procedures are compiled sql, and you gain performance. Moreover by using
stored procedures you will protect yourself from sql injection attacks.
Inline sql in applications can be risky.

Regards,

Deepak
[I Code, therefore I am]


Eirik Eldorsen said:
What is the recommended method to add a row to a db? I've used the
following
code since I started using ASP.NET. It's simple, but it gets very hard to
manage when the tables get big. And I have to check the inputdata for ,
and
'


public static int Create(int areaID, int createdByID, bool active,
string
title)
{
string cmd =
@"INSERT INTO TableName(AreaID, TypeID, CreatedByID, Active, Title) "
+
@"VALUES ("+areaID+", 1, " + createdByID + ", " + active + ", '" +
title
+ "')";
return DBFactory.UpdateDB(cmd);
}

public static int UpdateDB(string cmd)
{
OleDbConnection connection = new
OleDbConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
connection.Open( );
OleDbCommand command = new OleDbCommand( );
command.Connection = connection;
command.CommandText = cmd;
command.ExecuteNonQuery( );
command.CommandText = "SELECT @@Identity";
int id = (int)command.ExecuteScalar();
connection.Close();
return id;
}
Click to expand...
Click to expand...
 
Back
Top