markneustadt.com

Performance – Inline SQL vs Parameterized Queries

In the search for better and better performance, there are many techniques developers can use.  A technique used early on by some entry level or “still learning” developers is to build inline SQL.  That looks something like this:

string name = "Mark";
string query = "SELECT * FROM users WHERE FirstName='" + name + "'";
OleDbCommand cmd = new OleDbCommand(query);
OleDbDataReader reader = cmd.ExecuteReader();

There are steps missing… this is just example code

 

This is something more seasoned developers learn to avoid almost immediately.  There’s a variety of reasons why inline SQL is bad.  The most important reason is security.

However, there’s another reason to avoid it.  Performance.

Read more

Scroll To Top