关于SQL语句的一般问题 [英] A general question about SQL statement
问题描述
大家好,
我想得到人们关于在C#
(或任何其他.NET语言)中执行SQL语句的意见)。我曾经用
构建一个字符串并用两个单引号替换单引号来创建我的SQL语句。
有时候,我使用了SqlParameter。也许,当我构建SQL
字符串时,我有点懒。我应该总是使用SqlParameters吗?构建SQL字符串和使用SqlParameter之间有什么优点/缺点?
一个表现比另一个好吗?
谢谢。
Michael
Hi all,
I would like to get people''s opinion about executing SQL statements in C#
(or any other .NET language really). I used to create my SQL statement by
building a string and replacing single quote with two single quotes.
Sometimes, I used SqlParameter. Maybe, I''m a bit lazy when I build the SQL
string. Should I always use SqlParameters? What are the
advantages/disadvantages between building SQL string and using SqlParameter?
Does one perform better than the other?
Thanks.
Michael
推荐答案
Michael< m@m.com>写道:
Michael <m@m.com> wrote:
我想得到人们关于在C#
(或任何其他.NET语言)中执行SQL语句的意见。我曾经通过构建一个字符串并用两个单引号替换单引号来创建我的SQL语句。
有时候,我使用了SqlParameter。也许,当我构建SQL
字符串时,我有点懒。我应该总是使用SqlParameters吗?构建SQL字符串和使用SqlParameter之间有什么优点/缺点?
一个表现比另一个好吗?
I would like to get people''s opinion about executing SQL statements in C#
(or any other .NET language really). I used to create my SQL statement by
building a string and replacing single quote with two single quotes.
Sometimes, I used SqlParameter. Maybe, I''m a bit lazy when I build the SQL
string. Should I always use SqlParameters? What are the
advantages/disadvantages between building SQL string and using SqlParameter?
Does one perform better than the other?
始终使用参数除了一次性测试之外的其他任何东西。
优点:
o SQL注入攻击变得不可能
o为您完成格式化(字符串转义) ,日期/时间格式化
等)
o该命令可以重复使用不同的值,增加
性能
缺点:
o需要更多的代码才能整理出来的参数
-
Jon Skeet - < sk *** @ pobox.com>
http:/ /www.pobox.com/~skeet
如果回复小组,请不要给我发邮件
Always use parameters for anything other than a throwaway test.
Advantages:
o SQL injection attack becomes impossible
o Formatting is done for you (string escaping, date/time formatting
etc)
o The command can be reused with different values, increasing
performance
Disadvantages:
o It takes a bit more code to sort out the parameters to start with
--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
是的,顺便说一句,您可以使用PowerToys for ADO.NET来简化
参数的使用,它可以生成用来调用存储过程的包装器......
" Jon Skeet [C#MVP]" < SK *** @ pobox.com>在消息中写道
新闻:MP ************************ @ msnews.microsoft.c om ...
Yes, by the way you can use PowerToys for ADO.NET to simplify use of
parameters, it can generate wrappers for calling stored procedures...
"Jon Skeet [C# MVP]" <sk***@pobox.com> wrote in message
news:MP************************@msnews.microsoft.c om...
Michael< m@m.com>写道:
Michael <m@m.com> wrote:
我想得到人们关于在
C#(或任何其他.NET语言)中执行SQL语句的意见。我曾经通过构建一个字符串并用两个单引号替换单引号来创建我的SQL语句
。
有时候,我使用了SqlParameter。也许,当我构建
SQL字符串时,我有点懒。我应该总是使用SqlParameters吗?构建SQL字符串和使用
SqlParameter之间的优缺点是什么?一个人的表现比另一个好吗?
I would like to get people''s opinion about executing SQL statements in C# (or any other .NET language really). I used to create my SQL statement by building a string and replacing single quote with two single quotes.
Sometimes, I used SqlParameter. Maybe, I''m a bit lazy when I build the SQL string. Should I always use SqlParameters? What are the
advantages/disadvantages between building SQL string and using SqlParameter? Does one perform better than the other?
除了一次性测试外,总是使用参数。
优点:
o SQL注入攻击成为不可能
o为您完成格式化(字符串转义,日期/时间格式化等)
o该命令可以重复使用不同的值,增加性能
<缺点:
o需要更多的代码才能整理出来的参数
-
Jon Skeet - < sk *** @ pobox。 com>
http://www.pobox.com/~skeet
如果回复该组,请不要给我发邮件
Always use parameters for anything other than a throwaway test.
Advantages:
o SQL injection attack becomes impossible
o Formatting is done for you (string escaping, date/time formatting
etc)
o The command can be reused with different values, increasing
performance
Disadvantages:
o It takes a bit more code to sort out the parameters to start with
--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
SQL Server缓存命令并预编译它们。如果命令字符串确实没有从一个调用更改为下一个调用,就像参数化的
查询一样,性能会显着提高。但是如果你在命令字符串中构建值
,它几乎每次都会改变,从而击败这个
优化。
我没有看到任何基准测试,并且一个人的里程可能会有所不同,但是参数化的SQL语句可能会接近某些情况下存储过程的性能水平。特别是批处理。存储过程的主要优点是,在大多数情况下,
根本就没有服务器端编译,即使是第一次调用也没有。
--BOB
" Michael" < m@m.com>在消息中写道
新闻:O6 ************** @ TK2MSFTNGP09.phx.gbl ...
SQL Server caches commands and precompiles them. If the command string does
not change from one call to the next, as is the case with a parameterized
query, performance is significantly increased. But if you build the values
into the command string, it will change virtually every time, defeating this
optimization.
I haven''t seen any benchmarks, and one''s mileage probably varies, but
parameterized SQL statements probably approach the performance level of
stored procedures in some cases, particularly batch processes. The main
performance advantage of stored procedures would be that in most cases there
would be no server-side compiles at all, not even on the first call.
--Bob
"Michael" <m@m.com> wrote in message
news:O6**************@TK2MSFTNGP09.phx.gbl...
大家好,
我想得到人们关于在C#
(或任何其他.NET语言)中执行SQL语句的意见。我曾经通过构建一个字符串并用两个单引号替换单引号来创建我的SQL语句。
有时候,我使用了SqlParameter。也许,当我构建SQL
字符串时,我有点懒。我应该总是使用SqlParameters吗?构建SQL字符串和使用
SqlParameter之间的优缺点是什么?一个人的表现比另一个好吗?
谢谢。
迈克尔
Hi all,
I would like to get people''s opinion about executing SQL statements in C#
(or any other .NET language really). I used to create my SQL statement by
building a string and replacing single quote with two single quotes.
Sometimes, I used SqlParameter. Maybe, I''m a bit lazy when I build the SQL
string. Should I always use SqlParameters? What are the
advantages/disadvantages between building SQL string and using SqlParameter? Does one perform better than the other?
Thanks.
Michael
这篇关于关于SQL语句的一般问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
