Home Forums SQL Server 2005 SQL Server 2005 Performance Tuning I'm using EXECUTE sp_executesql in my ASP.NET RE: I'm using EXECUTE sp_executesql in my ASP.NET

  • January 11, 2012 at 9:14 am

    #1431888

    Little Nick (1/11/2012)

    My current code as following,

    Dim sqlNm As String = ""

    Dim sqlNm2 As String = ""

    Dim strType As String = ""

    Dim newSQL As String = ""

    '~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Call cbfDataSQLDeclaration()

    '~~~~~~~~~~~~~~~~~~~~~~~~~~~

    'sqlNm = "select CONm,APId,BUId from tblwfcorules where coid = '" & COBiodataID & "'"

    'norsan comment out the above code.Replace with stored proc below. 10/1/2012

    sqlNm = ""

    sqlNm = "EXECUTE sp_executesql N'EXEC dbo.spPRMWFCORulesByCOID ''" & Trim(COBiodataID) & "'''"

    Try

    dataSql.SelectData(connectionstring, dr, sqlNm, Nothing)

    If Not dr Is Nothing Then

    If dr.HasRows() Then

    dr.Read()

    apID = IIf(Convert.IsDBNull(dr("APId")), "", dr("APId").ToString)

    buID = IIf(Convert.IsDBNull(dr("BUId")), "", dr("BUId").ToString)

    End If

    End If

    dr.Close()

    Catch ex As Exception : Log.HrmisLog(Page.AppRelativeVirtualPath, "SQL1", Security.GetUserIDBS, ex.Message, True, True, False)

    Finally : Call cbfDataSQLDispose()

    End Try

    My question as following,

    1. Did my technique is recommended?

    FYI, in my SQL Server, wait Category on RESOURCE_SEMAPHORE_QUERY_COMPILE was really high

    I wouldn't be usint this technique. Since you are calling stored procedure within your sp_executesql call I think you should be using a Command object with a CommandType of stored procedure and then using the Parameters collection to create and pass the parameter to the stored procedure. Basically something like this (I may have some syntax or class names wrong because I haven't been working in .NET the last 8 months):

    DIM cmd as SQLCommand

    cmd.Connection = [connection]

    cmd.CommandType = storedprocedure

    cmd.CommandText = "dbo.spPRMWFCORulesByCOID"

    cmd.Parameters.Add("@COID", [Data Type], [Parameter Value]) ' I think this is one way to do the syntax

    cmd.Execute

    That's the general idea. Some of the syntax may not be right, but you should be able to figure it out. Since you aren't using parameters in your existing code or cleansing input you are leaving yourself open to SQL Injectino attacks.

    Jack Corbett
    Consultant - Straight Path Solutions
    Check out these links on how to get faster and more accurate answers:
    Forum Etiquette: How to post data/code on a forum to get the best help
    Need an Answer? Actually, No ... You Need a Question