0

I have two formats and they are shown below.

Format 1 :

printstring = printstring & "---------------------------------------" & vbNewLine

Format 2 :

printstring = String.Format("{0}---------------------------------------{1}", printstring, vbNewLine)

It was recommended to follow Format 2 by a Code Optimization Tool.

Is there any specific reason for this? Like memory consumption or some other reason?

Improve this question
14
  • 2
    These two lines of code do not do the same thing at all... Commented May 22, 2015 at 8:40
  • 7
    I would use parameterized queries instead. Commented May 22, 2015 at 8:40
  • 2
    The second line is surely wrong (SQL-like injection). The first one I'm not sure it works... It depend to whom you give the query Commented May 22, 2015 at 8:41
  • 3
    @utility: No, the second format really doesn't. You're still just putting the string into the SQL. Don't do this. Use parameterized SQL, that's what it's there for. Commented May 22, 2015 at 8:42
  • 1
    from a non SQL point the second string is the way to go , but for SQL it's the worst way , you're exposing yourself to SQL injection attacks Commented May 22, 2015 at 8:44

2 Answers 2

Reset to default
1

Your code is suffering from SQL injection.

String formats are more efficient with large strings than string concatenations. They are also slightly easier to read. Both are perfectly valid.

To fix your SQL injection issue, you will want to parametrize your query:

using System;
using System.Data.SqlClient;

class Program
{
    static void Main()
    {
    //
    // The name we are trying to match.
    //
    string dogName = "Fido";
    //
    // Use preset string for connection and open it.
    //
    string connectionString =
        ConsoleApplication1.Properties.Settings.Default.ConnectionString;
    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        connection.Open();
        //
        // Description of SQL command:
        // 1. It selects all cells from rows matching the name.
        // 2. It uses LIKE operator because Name is a Text field.
        // 3. @Name must be added as a new SqlParameter.
        //
        using (SqlCommand command = new SqlCommand(
        "SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
        {
        //
        // Add new SqlParameter to the command.
        //
        command.Parameters.Add(new SqlParameter("Name", dogName));
        //
        // Read in the SELECT results.
        //
        SqlDataReader reader = command.ExecuteReader();
        while (reader.Read())
        {
            int weight = reader.GetInt32(0);
            string name = reader.GetString(1);
            string breed = reader.GetString(2);
            Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}",
            weight,
            name,
            breed);
        }
        }
    }
    }
}

Output (This varies depending on your database contents.)

Weight = 130, Name = Fido, Breed = Bullmastiff

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I may be wrong here, but it looks like "grd.CurrentRow.Cells(1).Value" will resolve to a value in your c# code. You then intend to send this to the database. In other words your Format 2 will replace "grd.CurrentRow.Cells(1).Value" with a value before it goes to the database. Your Format 1 won't so is most likely incorrect and will not work.

In terms of performance, parameterizing queries is always recommended as it allows SQL Server's (if that is the database you are using) built in optimizer to build a query plan to optimise regular run queries. It will store this plan in a cache, so if you keep making the same types of queries, SQL Server should know the best way to call it after you have made one\more calls. Using Entity Framework or Stored Procedures to do data access will help you out here rather than building hard coded sql statements.

See these links for more information:

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.