NorthernMonkey
New member
- Joined
- Mar 30, 2011
- Messages
- 1
- Programming Experience
- 3-5
Hi All,
I just wanted to ask a couple of questions that have been annoying me for a while now.
I have been a programmer for quite a while, and in that time, moving from VB6 to .net etc I have maintained some bad habits whic I think originally came from knocking up quick applications in a small company.
This is something I really want to fix, so would appreciate any links/answers you can provide.
1. Probably the worse one - Embedded SQL in vb.net code
This is something I really want to get away from, as I am aware of injection problems that can occur. A lot of the stuff I learnt from would code along the lines of
Obviously this is a problem. Is there an absolutely correct answer to how this should be done properly? Prepared Statements?
2. Again, in a similar vein to above, rather than embedding large sql queries into vb.net code, some developer I have worked with create views on the database, and select from those views, again with a 'WHERE' statement. I am thinking I should be moving to using Stored Procedures ratherthan creating views on the database. What is the general consensus on this? And at what point do you decide that query is too long to put in code, it should be in a sproc/view?
And yes, I am a little embarassed to be asking these questions, but there are a lot of tutorials out there showing the 'bad' way, it's too easy not to do anything about it. SO like I say, I'm trying to fix this.
Apologies for the wall of text, all comments appreciated.
NM.
I just wanted to ask a couple of questions that have been annoying me for a while now.
I have been a programmer for quite a while, and in that time, moving from VB6 to .net etc I have maintained some bad habits whic I think originally came from knocking up quick applications in a small company.
This is something I really want to fix, so would appreciate any links/answers you can provide.
1. Probably the worse one - Embedded SQL in vb.net code
This is something I really want to get away from, as I am aware of injection problems that can occur. A lot of the stuff I learnt from would code along the lines of
And I notice a few people on here still show examples like this.
Obviously this is a problem. Is there an absolutely correct answer to how this should be done properly? Prepared Statements?
2. Again, in a similar vein to above, rather than embedding large sql queries into vb.net code, some developer I have worked with create views on the database, and select from those views, again with a 'WHERE' statement. I am thinking I should be moving to using Stored Procedures ratherthan creating views on the database. What is the general consensus on this? And at what point do you decide that query is too long to put in code, it should be in a sproc/view?
And yes, I am a little embarassed to be asking these questions, but there are a lot of tutorials out there showing the 'bad' way, it's too easy not to do anything about it. SO like I say, I'm trying to fix this.
Apologies for the wall of text, all comments appreciated.
NM.
