tags:

views:

468

answers:

2
Q: 

Best Practice for using Stored Procedures in asp.net for inserting Data

I was wondering if anyone can give me a link on following a best practice pattern for inserting data in a SQL db using stored procedures. I mean, what procedures should we take to ensure validated data to be passed through stored procedures.

+1  A: 

There are many different ways to do this depending on if you are using an ORM or using direct database access. One thing is you should use the SqlParameter object to create SP parameters. There are a wide variety of ways to create a SqlParameter with various options but the simplest form is 

 SqlParameter[] prms = new SqlParameter[1];
 prms[0] = new SqlParameter("@userid", "Bob");
Cody C  2009-08-04 16:16:45
But how can I trap javscript or SQL code if they passes it into some textbox?For example, I am allowing user to write an email message and I am saving that message too in db before sending email. But I don't want users/hackers to write a fully functional code in SQL to hack my site or corrupt the data. Even though I am using Sql parameters, but is it secure?
Mohit  2009-08-04 16:22:33
If you use parameters, then the hackers cannot perform a SQL injection.
John Saunders  2009-08-04 16:24:38
So thats what I am asking, that the statement which Mr. Cody C has given is enough for me, then or do I need to do some other things too?
Mohit  2009-08-04 16:26:52
you should always do basic validation on the user input but the parameters will protect you against the standard SQL Injection attacks. However as a general rule, all data should be validated on the client and server end before sending it to the database.
Cody C  2009-08-04 17:24:30
+2  A: 

I would recommend that you embed any logic for validation at a layer above the stored procedure implementation. In this way you can have much more flexibility in your implementation and exposure. A simple example is that you can reuse a validation library across multiple projects. Most ORM libraries support validation in its simplest form by verifying appropriate type assignment at compile time.

I would also recommend that you implement your transactional logic in a layer above the stored procedures.

David in Dakota  2009-08-04 16:38:48
Can you suggest me any good free ORM library?
Mohit  2009-08-04 16:44:47
I really, really dig SubSonic [http://subsonicproject.com/Download]. I had a pleasant experience w/ 2.2 but have yet to use the newly released 3.0.
David in Dakota  2009-08-05 14:14:54

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL