F
Fred Flintstone
What's the difference between these two methods?
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient.SqlCommand
With CommandObject
.Connection = myConnection
.Parameters.Clear()
.Parameters.Add("@TextField", SqlDbType.NVarChar,
50).Value = TextField
.Parameters.Add("@NumField", SqlDbType.Int, 50).Value =
NumField
.Parameters.Add("@BitField", SqlDbType.Int, 50).Value =
BitField
.CommandText = "INSERT [Table1]([TextField], [NumField],
[BitField]) VALUES(@TextField, @NumField, @BitField);"
.ExecuteNonQuery()
End With
2 - Dataset method
myDataRow = myDataSet.Tables(DataSetName).NewRow
myDataRow("TextField") = TextField
myDataRow("NumField") = NumField
myDataRow("BitField") = BitField
myDataSet.Tables(DataSetName).Rows.Add(myDataRow)
mySqlDataAdapter.Update(myDataSet, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes
into buildings and life will end in a spectacular universal explosion.
(or something horrible, I'm not sure exactly, something to do with
people inserting SQL commands into our data streams?) So I've been
recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it
exposes such a massive security risk, why is it there in the first
place?
I'm just trying to find the best method for doing database management
in ADO.Net and I'm getting conflicting messages. Any advice
appreciated, thanks!
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient.SqlCommand
With CommandObject
.Connection = myConnection
.Parameters.Clear()
.Parameters.Add("@TextField", SqlDbType.NVarChar,
50).Value = TextField
.Parameters.Add("@NumField", SqlDbType.Int, 50).Value =
NumField
.Parameters.Add("@BitField", SqlDbType.Int, 50).Value =
BitField
.CommandText = "INSERT [Table1]([TextField], [NumField],
[BitField]) VALUES(@TextField, @NumField, @BitField);"
.ExecuteNonQuery()
End With
2 - Dataset method
myDataRow = myDataSet.Tables(DataSetName).NewRow
myDataRow("TextField") = TextField
myDataRow("NumField") = NumField
myDataRow("BitField") = BitField
myDataSet.Tables(DataSetName).Rows.Add(myDataRow)
mySqlDataAdapter.Update(myDataSet, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes
into buildings and life will end in a spectacular universal explosion.
(or something horrible, I'm not sure exactly, something to do with
people inserting SQL commands into our data streams?) So I've been
recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it
exposes such a massive security risk, why is it there in the first
place?
I'm just trying to find the best method for doing database management
in ADO.Net and I'm getting conflicting messages. Any advice
appreciated, thanks!