Re: Speeding up in-line queries
From: Bob Barrows [MVP] (reb01501_at_NOyahoo.SPAMcom)
Date: 06/18/04
- Previous message: Susan: "RE: Testing and Analysis Tools?"
- In reply to: Astra: "Speeding up in-line queries"
- Next in thread: Aaron [SQL Server MVP]: "Re: Speeding up in-line queries"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 18 Jun 2004 16:52:42 -0400
Astra wrote:
> Hi All
>
> I know this is a 'try it yourself' thing, but is it generally true
> that in-line query (A):
>
> strSQLQuery = "update accounts set fred='" & strfred & "',bob='" &
> strbob & "', etc
>
> is not pretty to read as one long string, BUT a lot faster to execute
> than in-line query (B):
>
> strSQLQuery = "update accounts set "
> strSQLQuery = strSQLQuery & "fred='" & strfred & "',"
> strSQLQuery = strSQLQuery & "bob='" & strbob & "',
> etc etc
>
> Yes?
>
It's faster, but not a LOT faster. You will only be able to notice the
difference in a loop that's building a huge string.
The real problem is the possibility of SQL Injection:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
You should not be using dynamic sql. Stored procedures is the most secure
methodology.
Bob Barrows
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
- Previous message: Susan: "RE: Testing and Analysis Tools?"
- In reply to: Astra: "Speeding up in-line queries"
- Next in thread: Aaron [SQL Server MVP]: "Re: Speeding up in-line queries"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
