它是不好的做法，存储在资源文件中的SQL查询？ [英] Is it bad practice to store SQL queries in resource file?

问题描述

我有一个与SQL服务器通信的Web应用程序。而不是硬编码的所有查询字符串，我选择将它们存储在一个全球性的资源文件。那是做不好？

I have a web application that communicates with SQL server. Rather than hard-coding all of the query strings, I have opted to store them in a global resource file. Is that considered bad practice?

在一个侧面说明，我这样做的时候，Visual Studio会骂我有关SQL注入的可能性，尽管被参数化这些查询（更不用说拼写警告资源文件中）。

On a side note, when I do this, Visual Studio yells at me about the possibility of SQL injection, despite those queries being parameterized (not to mention the "spelling" warnings inside the resource file).

推荐答案

实践陷入范围（如避免的 preFER 的使用的，等）和取决于上下文

Practices fall into a range (e.g. Avoid, Prefer, Use, etc.) and depend on context.

如果你有一个从高一强制要求存储，特效不可使用，也不可使用ORM，那么你的存储复杂的SQL作为一种资源，因为你至少没有不坏的一种做法逃脱字符在 System.String 键，你至少保持它的眼睛有些安全。如果您的SQL在本质上是动态的，资源文件与文本模板机制结合起来是相当干净。

If you have a mandate from on high that stored-procs shalt not be used and neither shall ye use an ORM, then storing your complex SQL as a resource is not that bad of a practice because you at least don't have to escape characters in a System.String and you at least keep it somewhat safe from eyes. If your SQL is dynamic in nature, combining resource files with a text templating mechanism is fairly clean.

这表示，一般的使用资源文件应尽量避免，除非有维修费用，可读性和能力的明确的利益（即似乎在大多数情况下）。有绑定存储过程code相当多的清洁方式;还有一些主管ORM工具和小型数据访问层可能会做得更好。

That said, generally (i.e. it seems in most contexts) using resource files should be avoided unless there's a clear benefit in maintenance costs, readability, and capability. There are quite a few clean ways to bind stored procedures to code; there are a number of competent ORM tools and mini-data access layers that might do a better job.

这篇关于它是不好的做法，存储在资源文件中的SQL查询？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！