使用参数化函数进行查询有什么好处? [英] What is benefit of using parameterized function for query?
本文介绍了使用参数化函数进行查询有什么好处?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
public static DataSet getDishList(int eID, string uID)
02
{
03
const string sqlCommand = "SELECT * FROM ITSWEB_event_dish, ITSWEB_dish_type " +
04
"WHERE ITSWEB_event_dish.DISH_event_id = :eventID " +
05
"AND ITSWEB_event_dish.DISH_uid = :userID " +
06
"AND ITSWEB_event_dish.DISH_type = ITSWEB_dish_type.DISH_type";
这里我使用了eID,uID,但我不知道代码效率。
任何人都可以解释这个参数化功能的好处?
Here i have used eID , uID but i have no idea about code efficiency .
Can anyone explain benefit of this parameterized function?
推荐答案
参数化查询(也称为预准备语句)是一种预编译SQL语句的方法,因此您需要提供的所有内容都是参数 (想想变量)需要插入到语句中才能执行。它通常用作防止SQL注入攻击的手段。
http://stackoverflow.com/questions/4712037/what-is-parameterized-query [ ^ ]
A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks.
http://stackoverflow.com/questions/4712037/what-is-parameterized-query[^]
检查以下链接
http://codebetter.com/davidhayden/2006/01/05/parameterized- query-and-performance /
- 当您使用参数化查询时,它只需要在第一次执行时解析并检查查询的语法。只要正在执行的SQL语句不变,排除参数的值,后续执行就不需要解析和语法检查。
-也可以,一旦执行参数化查询,只需要将参数值发送到服务器。在上一次执行期间已经发送了查询的其余部分。
- 如果使用参数化查询,则可以获得使用它的可衡量的性能影响动态SQL。
-它与SQL注入攻击一样起着重要的作用。
: doh: [更新]:
为什么参数化查询会停止SQL注入攻击? [ ^ ]
问候......:笑:
-When you use parameterized query,it need only parse and check the syntax of the query the first time it is executed. So long as the SQL statement being executed is unchanged, excluding the values of the parameters, subsequent executions do not need parsing and syntax checking.
-Also, upon repeated execution of a parameterized query, only the parameter values need to be sent to the server. The remainder of the query does not, having already been sent during a previous execution.
-If you use parameterized query,you can get measurable performance impact of using it versus dynamic SQL.
-It plays important role as per as SQL Injection attacks are concerned.
:doh:[Update]:
Why parameterized queries stop SQL injection attacks?[^]
Regards.. :laugh:
这篇关于使用参数化函数进行查询有什么好处?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
