 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / Languages / VB.NET / May 2006Inline SQL vs stored procs on SQL Server 7 and 2000
Is there a difference in how SQL Server 7 and SQL 2000 processes SQL passed from a program by an ADO command object. Reason I ask is I rewrote a couple applications a couple years ago were the SQL statements were inline. I basically took the SQL statements and put them into stored procs, were there were variables in the code I used SQL parameters in the stored procs. I got some amazing performance results by switching to stored procs. The coding was done in VB6 using ADO. Now using SQL 2000 and VB.NET there appears to be little or no performance difference between using stored procs and inline sql. Any thoughts, I kinda would like to know so if I ever would deal with SQL Server 7 again, I might only use Stored Procs over inline sql, where SQL 2000 and 2005 I could use either. Could It be the version of SQL or ADO being used or a combination of both? By the way there were no hardware changes on the servers or the network that could have caused the speed up. Thanks Kent > Is there a difference in how SQL Server 7 and SQL 2000 processes SQL > passed from a program by an ADO command object. Reason I ask is I [quoted text clipped - 14 lines] > were no hardware changes on the servers or the network that could have > caused the speed up. I suspect some of the performance changes you are seeing are between ADO.old and ADO.Net's native SQL provider. There is debate over the relative performance differences between stored procedures and parameterized queries. I am unclear from your description of inline sql if you are talking about queries where you use string concatenation to supply parameters. From both a performance standpoint and security standpoint (read up on SQL injection) concatenated SQL is a bad thing. Parameterized queries on the other hand are not as performant as SP's (as I am lead to belive. I still want to crunch some numbers on this myself) but they are pretty close and offer the ability to change out data providers easier for simple CRUD operations. From a security stand point, SP's offer a bit more security and encapsulation whereas parameterized queries require full table CRUD permissions. Jim Wooley http://devauthority.com/blogs/jwooley/default.asp > I am unclear from your description of inline sql if you are talking about > queries where you use string concatenation to supply parameters. From both [quoted text clipped - 11 lines] > Jim Wooley > http://devauthority.com/blogs/jwooley/default.aspx Thanks for the response Jim, Yes I am talking about sql statements that are concanentated in code. I am not sure what your talking about when you say parameterized queries, could you explain. Thanks again, Kent > Yes I am talking about sql statements that are concanentated in code. > I am not sure what your talking about when you say parameterized > queries, could you explain. RUN, don't walk, to your favorite search engine and search on SQL Injection. Get rid of your concatented sql statements NOW! In short, consider the following SQL: "Select * from Employee where EmployeeId = " & txtSearchString.text This works fine as long as the user puts a valid value into the box. Now what happens if they enter "1 or 1=1" in the txtsearchstring box? All employee records will be returned. If we get meaner, we could enter "1 ; Drop Table Employee". Hopefully you can figure out what will happen now. I've heard that some security companies have come up with a fully functioning SQL Enterprise Manager solely using SQL Injection attacks on a vulnerable web application. As a better alternative, here is an example of a parameterized SQL statement: Using cn = New SqlConnection(MyConnectionString) dim cm as as SqlCommand = cn.CreateCommand cm.CommandType = commandType.Text cm.CommandText = "Select * from Customers where City = @City" cm.Parameters.AddWithValue("@City", txtSearchString.text) dim dr as DataReader = cm.ExecuteReader From a code standpoint, parametrized SQL behaves much like stored procedures. The difference is, you aren't defining the procedure on the server, but in your code. SQL Server will still cache the execution plan on parameterized queries as long as the parameter list does not change (the parameter values can change without effecting the cache). Becasue we are parameterizing the results, entering one of the invalid responses above will not have the same undesired effects as the server does not see the invalid values as additional commands to execute, but just values to compare against. Jim Wooley http://devauthority.com/blogs/jwooley/default.asp Yea, I understand what you are talk about now, parameterized queries is what I do now. I left concatenation behind in VB6. But just to reiterate there is not much difference in performance between a stored proc and a parameterized query? Would you know if there is a performance difference running parameterized queries on SQL 7 vs 2000 fro VB.NET? The performance debate is about the fact that every SQL statement to SQL server is compiled ( a lot of people believe that this is the main pefformance benefit of a SP ) however it isn`t as SQL compiles every SQL statement that it receives when would you use a SP (when you only consider performance ) ?? when you call a query a lot of times a SP would be faster 1. the execution plan`s that sql server makes 2. the amount of data overhead is lower regards Michel Posseth > Yea, I understand what you are talk about now, parameterized queries is > what [quoted text clipped - 5 lines] > performance difference running parameterized queries on SQL 7 vs 2000 fro > VB.NET? I posted a discussion of this on my blog. http://betav.com/blog/billva/2006/05/are_sps_faster_than_adhoc_quer.html hth  Signature____________________________________ William (Bill) Vaughn Author, Mentor, Consultant Microsoft MVP INETA Speaker www.betav.com/blog/billva www.betav.com Please reply only to the newsgroup so that others can benefit. This posting is provided "AS IS" with no warranties, and confers no rights. __________________________________ "Michel Posseth [MCP]" <MSDN@posseth.com> wrote in message news:OGfixxMgGHA.4276@TK2MSFTNGP03.phx.gbl... > > The performance debate is about the fact that every SQL statement to SQL [quoted text clipped - 22 lines] >> performance difference running parameterized queries on SQL 7 vs 2000 fro >> VB.NET? Bill, it appears you omitted the underscores when copying the url. I believe this is what you were refering to: http://betav.com/blog/billva/2006/05/are_sps_faster_than_adhoc_quer.html Jim Wooley http://devauthority.com/blogs/jwooley/default.aspx > I posted a discussion of this on my blog. > http://betav.com/blog/billva/2006/05/are sps faster than adhoc [quoted text clipped - 40 lines] > >>> VB.NET? Hummm. It worked for me from the original posting--the underscores were there. Signature____________________________________ William (Bill) Vaughn Author, Mentor, Consultant Microsoft MVP INETA Speaker www.betav.com/blog/billva www.betav.com Please reply only to the newsgroup so that others can benefit. This posting is provided "AS IS" with no warranties, and confers no rights. __________________________________ > Bill, it appears you omitted the underscores when copying the url. I > believe this is what you were refering to: [quoted text clipped - 48 lines] >> >>>> VB.NET? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.