This is a rant and I'm not referring to VB Programmer or anyone in
particular- this is a rant about the state of dynamic Sql in general. I
clicked on Jon's link and totally agree. It just got me thinking about the
subject again.
With all of the trouble Dynamic Sql w/out parameters causes, it's amazing to
me that Microsoft isn't more adamant in renouncing it. I caught a bunch of
flak when I said it should die - one guy told me I couldn't do all the stuff
he's done without it. I kindly asked him to show me one example where that
was true and he was unable to put forward one. That's not b/c I'm
brilliant, it's b/c that argument is just wrong.
One thing that's really grating though is when you show people how to use
Parameterized queries and they reject your approach b/c the book they have
shows it with concatenated sql and they'd rather go with a 'proven' method.
Makes me want to pull my hair out. I think it will remedy itself, but
there's a lot of resistance to it (I have absolutely no idea why) and for
some reason, adoption is slow in coming. Outside of the whole injection
attack thing and the performance thing , coding it and maintaining it is a
damned nightmare. It's amazing some people get as far as they do b/c
debugging that crap is a nightmare. When I saw how params worked a few
years ago, I immediately hopped on board just b/c I knew I wouldn't have any
more string concatenation errors. Purely selfish. Then I saw how easy and
flexible it was. And I saw a few people who berated paramaters as
unnecessary and rigid, over and over have stuff blow up b/c of an Irish last
name or b/c they forgot to add a single quote somewhere. Then they came up
with a replace routine but calling that on every query (which is necessary
to be 'safe') got really bulky. Over and over more reasons presented
themselves but a few of them would not change, let alone switch to stored
parameters to save their lives One junior programmer even got reamed a new
one b/c she used Stored Procedures and they 'screw everything up'. Every
day, two at most there's a problem with someone and dynamic sql on one of
the ngs. Still it persists. Parameters and/or stored procs remain probalby
the hardest sell of everything in Ado.net. That's what blows my mind. Just
about everyone can buy into the disconnected model which is a big paradigm
shift. How using parameters is more revolutionary and intimidating is still
a mystery. And the thing is that it's HARDER to use, more verbose, more
everythign bad. I don't think I'll ever understand it.
Sorry for ranting OT, I just get the feeling that all of the writing,
posting etc about the downside of it barely puts a dent in it .
--
W.G. Ryan MVP Windows - Embedded
http://forums.devbuzz.com
http://www.knowdotnet.com/dataaccess.html
http://www.msmvps.com/williamryan/