473,562 Members | 2,822 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SELECTs vs Stored Procedures

Hi

When developing vb.bet winform apps bound to sql server datasource, is it
preferable to use SELECTs or stored procedure to read and write data from/to
SQL Server? Why?

Thanks

Regards
Nov 21 '05 #1
45 3374
Hi,

Stored procedures are better. They are faster and harder to use a
sql injection attack against.

sql injection
http://msdn.microsoft.com/msdnmag/is.../SQLInjection/

http://msdn.microsoft.com/library/de...AGHT000002.asp

Ken
-------------------
Ken
-------------------
"John" <Jo**@nospam.in fovis.co.uk> wrote in message
news:ON******** ******@TK2MSFTN GP12.phx.gbl...
Hi

When developing vb.bet winform apps bound to sql server datasource, is it
preferable to use SELECTs or stored procedure to read and write data
from/to SQL Server? Why?

Thanks

Regards

Nov 21 '05 #2
John,

In addition to Ken, you use for both Select.

The differnce is that a stored procedure is on the Server and more
processing is done on the Server, which make your retrieving of data
something (or sometimes a lot) quicker.

I hope this helps,

Cor
Nov 21 '05 #3
Hi john

They have there plans precompiled , so are faster.

Yes definetly prevents SQL Injection to a decent level.

Shivprasad Koirala
C# , VB.NET , SQL SERVER , ASP.NET Interview Questions
http://www.geocities.com/dotnetinterviews/

Nov 21 '05 #4
>Stored procedures are better. They are faster and harder to use a
sql injection attack against.


Seconded - also, with stored procs, you're only sending the name of
the stored proc to call and the parameters across the wire, not the
whole big SQL statement - that can make quite a difference on slower
links!

Marc
Nov 21 '05 #5
Ken Tucker [MVP] wrote:
Hi,

Stored procedures are better. They are faster and harder to
use a sql injection attack against.

sql injection
http://msdn.microsoft.com/msdnmag/is.../SQLInjection/

http://msdn.microsoft.com/library/de...ry/en-us/dnpag
2/html/PAGHT000002.asp
Faster than what? parameterized dyn. queries? Nope. Both are compiled
at runtime equally and execution plans are cached for both.

Sqlinjection attacks are not possible when you use solely parameters
in your dyn. sql. Furthermore, just by using a proc doesn't mean your
dyn. search stored procedure which concatenates SQL internally is not
vulnerable for sql injection.

Frans

Ken
-------------------
Ken
-------------------
"John" <Jo**@nospam.in fovis.co.uk> wrote in message
news:ON******** ******@TK2MSFTN GP12.phx.gbl...
Hi

When developing vb.bet winform apps bound to sql server datasource,
is it preferable to use SELECTs or stored procedure to read and
write data from/to SQL Server? Why?

--
------------------------------------------------------------------------
Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
My .NET blog: http://weblogs.asp.net/fbouma
Microsoft MVP (C#)
------------------------------------------------------------------------
Nov 21 '05 #6
John wrote:
Hi

When developing vb.bet winform apps bound to sql server datasource,
is it preferable to use SELECTs or stored procedure to read and write
data from/to SQL Server? Why?


As long as you use solely parameterized queries, it's not making a
difference.
so do:
SELECT * FROM dbo.Foo where field1 = @param
and not:
SELECT * FROM dbo.foo where field1 = 'value'

Also, specify schema names for tables always, this makes the query's
execution plan get cached better and SQLServer's mechanism to find back
an execution plan works more efficiently.

Frans

--
------------------------------------------------------------------------
Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
My .NET blog: http://weblogs.asp.net/fbouma
Microsoft MVP (C#)
------------------------------------------------------------------------
Nov 21 '05 #7
sh**********@ya hoo.com wrote:
Hi john

They have there plans precompiled , so are faster.


Stored procs don't have their plans precompiled. At least not since
Sqlserver 7. Only on DB2 procedures are really precompiled and stored
in a precompiled fashion (not always as well, but most people opt for
that option, although it can hurt runtime optimization).

The reason for this is that only at runtime statistics are known and
only in the situation of a fresh query the optimizer can truly optimize
the plan based on the statistics. See BOL about execution plans.

As he's talking about SELECT's, the gain of a proc is not really an
issue (having processing on the server so you avoid pumping loads of
data to the client first and then back to the server).

FB

--
------------------------------------------------------------------------
Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
My .NET blog: http://weblogs.asp.net/fbouma
Microsoft MVP (C#)
------------------------------------------------------------------------
Nov 21 '05 #8
Frans,
Faster than what?

Please, read the question again.

Than you will see
"to use SELECTs or stored procedure to read and write data from/to SQL
Server"

Therefore this question should in my opinion not only be seen about Select.
I have seen that SP's can make a difference in speed.

Although we agree very much about the in my idea deeper meaning of the rest
of your answers in this thread. I get sometimes the idea that people think
that a SP is a solution for everything, which puts an application direct on
a higher level.

Cor
Nov 21 '05 #9
"John" <Jo**@nospam.in fovis.co.uk> wrote in message
news:ON******** ******@TK2MSFTN GP12.phx.gbl...
Hi

When developing vb.bet winform apps bound to sql server datasource, is it
preferable to use SELECTs or stored procedure to read and write data
from/to SQL Server? Why?

Thanks

Regards


If the data is sensitive, you may not allow direct access to your table. So
if you had an employee table, your users would not be able to execute any
old sql statement, eg:
select firstname, lastname, salary from employee order by salary desc
but you could allow limited access to the employees table by writing a
stored procedure which returned only non-sensitive data for a given
employeeID. You give users permissions to run the stored procedure but not
read permissions for the table.
Nov 21 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
10734
by: jrefactors | last post by:
I want to know the differences between SQL Server 2000 stored procedures and oracle stored procedures? Do they have different syntax? The concept should be the same that the stored procedures execute in the database server with better performance? Please advise good references for Oracle stored procedures also. thanks!!
2
2799
by: scott | last post by:
Hi, Just wondering what sort of problems and advantages people have found using stored procedures. I have an app developed in VB6 & VB.NET and our developers are starting to re-write some of the code in stored procedures (im advocating encryption of them). When deploying an application however stored procedure seem to add another level of...
5
3463
by: Tim Marshall | last post by:
I was following the thread "Re: Access Treeview - Is it Safe Yet?" with interest and on reading the post describing Lauren Quantrell's SmartTree, I've run into something I don't understand: Stored Procedures. I thought stored pricedures were an Oracle/MS SQL Server thing and don't know how they work with Access Jet. I've looked at some of...
2
3319
by: Eli | last post by:
Hi all We currently have a strange problem with calling a Stored Procedure (SQL Database) in our C# Project. The only error I get is "System error" which says a lot :) Background: We have several stored procedures to Insert and update datas in our SQL database. Some stored procedures are smaller (insert datas in only one table) and some...
28
72376
by: mooreit | last post by:
The purpose for my questions is accessing these technologies from applications. I develop both applications and databases. Working with Microsoft C#.NET and Microsoft SQL Server 2000 Production and 2005 Test Environments. What is the purpose of a view if I can just copy the vode from a view and put it into a stored procedure? Should I be...
11
3399
by: peter | last post by:
I am trying to get a SQL stored procedure to use user maintained MQT implicitly which raises questions on when they are used or not used. In theory you would expect the stored procedure to pick up the MQT at the time it is bound on the creation of the static SQL. This raises the question on how you stop it or start it using a MQT as there is...
0
7577
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7935
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6221
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5477
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5193
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3623
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3608
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1191
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
903
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.