5

I am using .NET 3.5, and looking at old code done by someone else and trying to add security and update it.

What are the best practices for accessing data in a web forms project?

Currently I am changing the code to use SQL parameterization, like so:

using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings[ConfigurationManager.AppSettings["defaultConnection"]].ConnectionString))
{
    using (SqlCommand myCommand = new SqlCommand(sql.ToString(), conn))
    {
        myCommand.Parameters.AddWithValue("search1", mySearchVar);
        ...

I know SQL parametization is important, but I see other people using stored procedures? Is they other ways, best practices to follow?

Improve this question
5
  • 1
    .net 3.5, any reason you dont want to use EntityFramework? Commented Nov 21, 2012 at 20:20
  • I use LINQ to Entity Framework. Commented Nov 21, 2012 at 20:21
  • Parameterization is inherently part of stored procedures Commented Nov 21, 2012 at 20:28
  • i have no objection to using EF, just wanted some best practices. I'm reading about EF now and will probably use it. Commented Nov 21, 2012 at 20:32
  • .NET ORMs - stackoverflow.com/questions/1377236/… Commented Nov 28, 2012 at 21:40

3 Answers 3

Reset to default
7

If it's not just small refactoring and you have time to rewrite your data access layer, use some ORM:

NHibernate

Entity Framework

Dapper.NET (Stackoverflow ORM)

BLToolkit

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Andif you need to be FAST - BLToolkit. Less features, but it beats the hekk out of the other you name in terms of performance. Used it to issue literally millions of SQL statements per minute to a 96 core database server a year ago for ETL load.
@TomTom agree. have added Dapper as well.
Using BLToolkit combined with T4 is something I've done in the past and works extremely well, and without having to initially generate all of your tables in code yourself.
4

There is nothing wrong with using ADO.NET. It's what drives all the ORM solutions in .NET.

Yet it seems .NET developers are running in droves to jump on the ORM bandwagon. ORMs are just one of many tools in the data access toolbox.

In the early 2000's ORMs took the Java world by storm. Store procedures were shunned. It was ORM or nothing. A half decade later Java developers realized that the best solution uses both an ORM and stored procedures, each has strengths.

Use the best tool for the job. ORMs can automate much of the CRUD from the application. Stored procedures are good for adding abstraction, adding a layer of security and optimizing area's that need to be highly performant.

Choose the best tool for the job.

Improve this answer

1 Comment

+1: Golden words: Choose the best tool for the job! However, choosing the best tools requires sound knowledge of the problem domain (including constraints) and the pros/cons of the tools being evaluated.
-1

Entity Framework is one 'best practice' and the one Microsoft push the most. But there is no best data access methodology.

After some bad experiences with the performance of EF and other ORMs I generally steer clear of them entirely and just hand craft data access code or use code generation tools to output code crafted for the specific application.

There are on the other hand lots of bad practices and you're avoiding a key one by moving to parameterization.

Personally I don't see any point in stored procs nowadays, unless you are going to use them entirely - i.e. prevent any data modification outside of stored procs. If that's the case it could provide you with some comfort over the type of modifications that are possible to your data.

So this isn't really an answer - as really there isn't one - your question opens up a massive topic of discussion. Time to buy some books, or get busy with Google.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.