March 7, 2013 at 2:35 pm
Can anyone tell me if the following two methods of sending information to a store procedure are behaving in the same way? Is there a benefit to one over the other, mostly in terms of security? Both ways work for me, I'm just wondering what the difference is. Thank you!
--METHOD #1--
cmd.CommandText = "spGetInfo"
cmd("@InfoID") = CInt(InfoID))
cmd("@Visits") = CInt(1)
cmd("@View") = "Full"
Set rs = Server.CreateObject("ADODB.Recordset")
rs.CursorLocation = 3
rs.CursorType = 3
rs.LockType = 3
rs.Open Cmd
--METHOD #2--
cmd.CommandText = "spGetInfo"
cmd.CommandType = 4
cmd.Prepared = true
cmd.Parameters.Append cmd.CreateParameter("@InfoID", 3, 1, 4, CInt(InfoID))
cmd.Parameters.Append cmd.CreateParameter("@Visits", 3, 1, 4, CInt(1))
cmd.Parameters.Append cmd.CreateParameter("@View", 200, 1, 30, "Full")
Set rs = Server.CreateObject("ADODB.Recordset")
rs.CursorLocation = 3
rs.CursorType = 3
rs.LockType = 3
rs.Open Cmd
--STORED PROCEDURE--
ALTER PROCEDURE [spGetInfo]
@InfoID int = 0,
@Visits int = 0,
@View nvarchar(10) = null
AS
IF @View = 'Full'
BEGIN
SELECT *
FROM tbInfo
WHERE InfoID = @InfoID
END
Viewing 0 posts
You must be logged in to reply to this topic. Login to reply