I always access other programmer code, I saw the code interesting and challenging today - the code is in ASP VBScript + dynamic SQL, the purpose of the code is to generate the SQL query string based on web page querystring, the code is as below:-
StrSQL = "select * from fact_drive_failures2 where day_id = " & request("day_id")
If request("floor") <> "" Then
StrSQL = strSQL & " and floor_id = " & request(“floor_id”)
End If
I believe this is a very common practice for many programmers. With the dynamic SQL string with the ASP code, it has many pitfalls in security, performance, permission, network traffic and many more disadvantages...
I convert this code to MS SQL Server stored procedure:-
CREATE PROCEDURE dbo.GET_DATA
(
@pn_DayId int,
@pv_FloorId varchar(1000)
)
AS
Select * from fact_data
where day_id = @pn_dayid
and floor_id =
case @pv_Floor = ‘’ then floor_id
else @pv_floor end
Now the stored procedure can be called by front-end application without worrying the string concatenation, easier to maintain, better security and the performance is much better.
No comments:
Post a Comment