SQL 2000 & ASP.NET/Visual Studio 2005

[Guest]

What is the best way to edit records on a form using ASP.NET(VB.NET) in
VS2005 connecting to SQL 2K database? Is just mapping text boxes to
data? Or are there any new methods of doing that?

 

[Mark Fitzpatrick]

The best way, and safest from a security perspective, is to use stored
procedures. This enables you to pass parameters to the db instead of using a
method that may simply end up concatenating a string together. With the
parameters, you can mitigate the use of a sql injection attack. It's also a
bit better because the parameters are typed whereas all the textbox values
are initially strings until you convert them, and passing the wrong type to
a parameter will at least throw an informative error. The performance of a
stored procedure is also better since the database will be able to optimize
the procedure and cache the optimization for future use.

 

[Cowboy \(Gregory A. Beamer\)]

You can speed it up a bit by dragging the table onto the form and consuming
that data. It will create all of the adapters for you. It is not necessarily
the best, from an Enterprise standpoint, but it works rather well for many
sites for small and medium businesses. If you want to be a bit more correct,
a DataSet with a table adapter works nicely.

I will both agree and disagree with part of Mark's statement. The sproc
(stored procedure) version of database access is easier to secure, but you
can get similar security using parameterized queries in a tableAdapter, so
the main security is not what Mark states. When you drag data onto a form,
it is automatically parameterized, eliminating SQL injection.

 

[Mark Fitzpatrick]

Thanks for pointing that out Gregory. I stopped using the VS designer
because I didn't like the code bloat in VS 02. Now I'm just as fast
hand-coding and templating it I haven't bothered to check out any of the
designer features in VS 2005. Do you know of any other good time-saving db
shortcuts in the VS designer that are worth examining?

Mark