tags:

views:

467

answers:

6
+4  Q: 

Why does LINQ send sp_executesql instead of directly executing the SQL?

For eaxmple, LINQ to SQL is sending the following:

exec sp_executesql 
N'SELECT [t0].[HomeID], 
  [t0].[Bedrooms], 
  [t0].[ImageURL], 
  [t0].[Price], 
  [t0].[Available], 
  [t0].[Description]
FROM 
  [dbo].[Homes] AS [t0]
WHERE 
  ([t0].[Description] LIKE @p0) AND 
    ([t0].[Available] = @p1) AND 
    ([t0].[Price] >= @p2) AND ([t0].[Price] <= @p3)
ORDER BY 
  [t0].[Price] DESC',
N'@p0 nvarchar(4000),@p1 int,@p2 int,@p3 int',
@p0=N'%private%',
@p1=1,
@p2=200000,
@p3=750000

Why does it use sp_executesql?

+3  A: 

EDIT, oops did I say paramterization instead of parameter replacement, thanks stephbu

sp_executesql is preferred over execute because it supports parameter substitution, and tends to perform more efficiently.

cmsjr  2009-07-01 14:01:08
Execute is just as parameterizable, so parameterization isn't it. What data says it performs "more efficiently" Its at least the same cost.
stephbu  2009-07-01 14:11:20
It may have been more technically correct to say parameter substitution rather than parameterization, as for the efficiency I invite you to check out the following link. http://msdn.microsoft.com/en-us/library/ms175170.aspx
cmsjr  2009-07-01 14:19:50
http://msdn.microsoft.com/en-us/library/ms175580.aspx as additional information about Execute supporting the same parameterized statement caching strategies.
stephbu  2009-07-01 14:20:01
The article is talking about the EXECUTE tsql statement. The OP is wondering why sp_executesql is being sent rather than sending the "inner" statement directly (parameters and all).
stephbu  2009-07-01 14:22:30
Yeah I guess I should qualify mine a bit better too :) SQLExecDirect through OLEDB/ODBC is just as a parameterizable. Unless there was more than a single statement being sent - it doesn't seem to make sense.
stephbu  2009-07-01 14:25:39
+5  A: 

This notation allows the runtime compiled TSQL statement to be re-used with different parameters; i.e. the statement only gets compiled once which improves efficiency.

Adamski  2009-07-01 14:01:19
Execute uses the same statement cache with parameterized queries.
stephbu  2009-07-01 14:11:53
Also, this way it's more secure against SQL injection.
gerleim  2010-08-27 09:55:03
+3  A: 

This is, at least partially, so that you get query plan reuse. It could put the parameters inline, which means that every time you run the query with different parameters the analyzer sees it as a different query and reparses it. But since it's executed this way, the query plan is cached and it can just plug in the new variables each time you run it.

Clyde  2009-07-01 14:03:15
A: 

One thing to note is that it also provides protection from SQL Injection because of parameterization. Can't really complain about that one...

jinsungy  2009-07-01 14:05:44
Not according to this link: http://msdn.microsoft.com/en-us/library/ms188001.aspx - "Run time-compiled Transact-SQL statements can expose applications to malicious attacks, such as SQL injection."
Adamski  2009-07-01 14:16:36
This isn't a reason to use sp_executesql tho'. Parameterization is available on the SqlExecDirect calls through OLE/DB and ODBC too.
stephbu  2009-07-01 14:30:01
@Adamski - of course it does.. http://msdn.microsoft.com/en-us/library/bb386929.aspx. "LINQ to SQL avoids such injection by using SqlParameter in queries."
jinsungy  2009-07-01 14:48:12
@stephbu - you are right. i was just noting a benefit.
jinsungy  2009-07-01 14:51:05
A: 

This is a great question. This isn't really answer but an exploration of the reasoning already given by other answers. Feel free to update this "answer"

The obvious answer would have been "parameterized query cache". However parameters could just as easily been bound when the statement was executed directly and still get cached.

Syntax and details in this MSDN article...

http://msdn.microsoft.com/en-us/library/ms175580(SQL.90).aspx

Performance claims I doubt without data since the cache appears to be the same for both direct and sp_execsql'd queries.

So if it's not those - what is it?

stephbu  2009-07-01 15:05:29
A: 

I do not think it is a performance solution. Execution plans in SQL are cached even for direct queries.

I do think it is a security solution for sql injection.

However if you try to use traces that use Linq to SQL in the Database Engine Tuning Advisor the sp_execute is not interpeted by the Tuning Advisor, I would like to turn it off. SQL injection can also be detected in the Linq To Sql statements / framework (the code) why would you even try to send invalid data to SQL.

Gertjan  2010-10-27 13:55:43

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP