SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


I'm using EXECUTE sp_executesql in my ASP.NET


I'm using EXECUTE sp_executesql in my ASP.NET

Author
Message
Little Nick
Little Nick
SSC-Enthusiastic
SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)

Group: General Forum Members
Points: 161 Visits: 501
My current code as following,


Dim sqlNm As String = ""
Dim sqlNm2 As String = ""
Dim strType As String = ""
Dim newSQL As String = ""

'~~~~~~~~~~~~~~~~~~~~~~~~~~~
Call cbfDataSQLDeclaration()
'~~~~~~~~~~~~~~~~~~~~~~~~~~~
'sqlNm = "select CONm,APId,BUId from tblwfcorules where coid = '" & COBiodataID & "'"
'norsan comment out the above code.Replace with stored proc below. 10/1/2012
sqlNm = ""
sqlNm = "EXECUTE sp_executesql N'EXEC dbo.spPRMWFCORulesByCOID ''" & Trim(COBiodataID) & "'''"
Try
dataSql.SelectData(connectionstring, dr, sqlNm, Nothing)
If Not dr Is Nothing Then
If dr.HasRows() Then
dr.Read()
apID = IIf(Convert.IsDBNull(dr("APId")), "", dr("APId").ToString)
buID = IIf(Convert.IsDBNull(dr("BUId")), "", dr("BUId").ToString)
End If
End If
dr.Close()
Catch ex As Exception : Log.HrmisLog(Page.AppRelativeVirtualPath, "SQL1", Security.GetUserIDBS, ex.Message, True, True, False)
Finally : Call cbfDataSQLDispose()
End Try



My question as following,

1. Did my technique is recommended?

FYI, in my SQL Server, wait Category on RESOURCE_SEMAPHORE_QUERY_COMPILE was really high
roasdasdb 89asdasdasd013
roasdasdb 89asdasdasd013
Grasshopper
Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)

Group: General Forum Members
Points: 14 Visits: 131
Avoid dynamic SQL, it is not clear here why you need to use it?

Also you do not need to place another EXEC[UTE] as part of the dynamic SQL you are executing.

e.g. EXECUTE sp_executesql N'SELECT 1'

You should use ado.net commands also.

Rob
Jack Corbett
  Jack Corbett
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19354 Visits: 14900
Little Nick (1/11/2012)
My current code as following,


Dim sqlNm As String = ""
Dim sqlNm2 As String = ""
Dim strType As String = ""
Dim newSQL As String = ""

'~~~~~~~~~~~~~~~~~~~~~~~~~~~
Call cbfDataSQLDeclaration()
'~~~~~~~~~~~~~~~~~~~~~~~~~~~
'sqlNm = "select CONm,APId,BUId from tblwfcorules where coid = '" & COBiodataID & "'"
'norsan comment out the above code.Replace with stored proc below. 10/1/2012
sqlNm = ""
sqlNm = "EXECUTE sp_executesql N'EXEC dbo.spPRMWFCORulesByCOID ''" & Trim(COBiodataID) & "'''"
Try
dataSql.SelectData(connectionstring, dr, sqlNm, Nothing)
If Not dr Is Nothing Then
If dr.HasRows() Then
dr.Read()
apID = IIf(Convert.IsDBNull(dr("APId")), "", dr("APId").ToString)
buID = IIf(Convert.IsDBNull(dr("BUId")), "", dr("BUId").ToString)
End If
End If
dr.Close()
Catch ex As Exception : Log.HrmisLog(Page.AppRelativeVirtualPath, "SQL1", Security.GetUserIDBS, ex.Message, True, True, False)
Finally : Call cbfDataSQLDispose()
End Try



My question as following,

1. Did my technique is recommended?

FYI, in my SQL Server, wait Category on RESOURCE_SEMAPHORE_QUERY_COMPILE was really high


I wouldn't be usint this technique. Since you are calling stored procedure within your sp_executesql call I think you should be using a Command object with a CommandType of stored procedure and then using the Parameters collection to create and pass the parameter to the stored procedure. Basically something like this (I may have some syntax or class names wrong because I haven't been working in .NET the last 8 months):

DIM cmd as SQLCommand

cmd.Connection = [connection]
cmd.CommandType = storedprocedure
cmd.CommandText = "dbo.spPRMWFCORulesByCOID"
cmd.Parameters.Add("@COID", [Data Type], [Parameter Value]) ' I think this is one way to do the syntax
cmd.Execute



That's the general idea. Some of the syntax may not be right, but you should be able to figure it out. Since you aren't using parameters in your existing code or cleansing input you are leaving yourself open to SQL Injectino attacks.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Little Nick
Little Nick
SSC-Enthusiastic
SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)

Group: General Forum Members
Points: 161 Visits: 501
RESOURCE_SEMAPHORE_QUERY_COMPILE waits is high. My understanding, this nothing to do with my ASP.NET code technique

Let's, my same Stored Procedure is execute 500 a day. Did we have special technique to make it run efficiently?
Jack Corbett
  Jack Corbett
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19354 Visits: 14900
Little Nick (1/11/2012)
RESOURCE_SEMAPHORE_QUERY_COMPILE waits is high. My understanding, this nothing to do with my ASP.NET code technique

Let's, my same Stored Procedure is execute 500 a day. Did we have special technique to make it run efficiently?


Sure it does. You aren't using parameters so every call to sp_executesql is likely requiring a compilation. If you use parameters properly then you will more likely get plan re-use. Even ORM tools like Linq to SQL, EF, hibernate/nhibernate use parameters.

Plus, performance isn't your biggest problem in this case it is the security hole you leave open by using non-cleansed input to build a sql string.

From http://technet.microsoft.com/en-us/library/cc293620.aspx
Keep in mind that caching is done on a per-batch level. If you try to force parameterization using sp_executesql or Prepare/Execute, all the statements in the batch must be parameterized for the plan to be reusable. If a batch has some parameterized statements and some using constants, each execution of the batch with different constants will be considered distinct, and there will be no value to the parameterization in only part of the batch.


You might also want to read this post, http://blogs.msdn.com/b/sqlprogrammability/archive/2007/01/21/2-0-diagnosing-plan-cache-related-performance-problems-and-suggested-solutions.aspx



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Little Nick
Little Nick
SSC-Enthusiastic
SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)SSC-Enthusiastic (161 reputation)

Group: General Forum Members
Points: 161 Visits: 501
tq sir
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search