SlideShare a Scribd company logo

Sql parametrized queries

Hadi Fadlallah
Hadi Fadlallah

Presentation on sql parameterized query and their advantages and how it prevents sql injection attacks

Data & Analytics
1 of 40
SQL Parameterized Queries
Index • Definition • Why Parameterized Queries? • Disadvantages • Parameterized queries VS Stored Procedures • Parameterized queries using Vb.net 2
Definition • “Parameterized query (also known as prepared statement) is a technique of query execution which separates a query string from query parameters values”. 3
WHY PARAMETERIZED QUERIES? 4
Protection against SQL Injection Attack
• If the contents of a text field are just passed to SQL Server and executed, then that text field can contain a complete new query that does something totally different. • A parameter works because it‘s treated as a literal value rather than executable code. And it's also checked for type and length. Why Parameterized Queries Protection against SQL Injection Attack6
• A typical SQL injection string would have to be much longer, and the SqlParameter class would throw an exception. Why Parameterized Queries Protection against SQL Injection Attack7
Example • Dynamic Sql Query • The command built in the application is : “SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = ' “ + @Firstname + “';” • If we searched a Customer table (first name column) for this value for this value : Ali';Truncate Table dbo.Customers;-- Why Parameterized Queries Protection against SQL Injection Attack8
• The CommandText will be as shown below SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = 'Ali'; Truncate Table dbo.Customers;--' ; Why Parameterized Queries Protection against SQL Injection Attack9
• The Command Text is composed of 4 parts: 1. SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = 'Ali'; 2. Truncate Table dbo.Customers; 3. --' ; Why Parameterized Queries Protection against SQL Injection Attack10
• Parameterized SQL Query if we made a search on the same value Ali';Truncate Table dbo.Customer;-- • This value will be passed as a parameter @FirstName (varchar(255),Text) Why Parameterized Queries Protection against SQL Injection Attack 11
12 Why Parameterized Queries Protection against SQL Injection Attack • The command text will be as shown below •SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = @firstname;
• [Firstname] will be compared with the value: “Ali';Truncate Table dbo.Customer;--” 13 Why Parameterized Queries Protection against SQL Injection Attack
PERFORMANCE IMPLICATIONS 14
• From the point of view of a developer, there is no difference between dynamic and parameterized queries, but there are many from the point of view of SQL Server. Why Parameterized Queries Performance Implications15
• When using dynamic queries the entire query has to be constructed and compiled by SQL Server every time • When using parameterized queries SQL Server generates a query execution plan just once and then plugs the parameter value into it. Why Parameterized Queries Performance Implications16
Simple Parameterization feature • In cases in which values are specified explicitly, as in query below, SQL Server invokes a feature known as ‘simple parameterization’. SELECT ZipCode, Latitude, Longitude, City, State, Country FROM dbo.UsZipCodes WHERE ZipCode = '54911' • Simple parameterization is designed to reduce the resource cost associated with parsing SQL queries and forming execution plans by automatically parameterizing queries. Why Parameterized Queries Performance Implications17
Simple Parameterization feature • With simple parameterization, SQL Server actually creates two execution plans for this query. • The first execution plan is a shell plan containing a pointer to the second execution plan. Why Parameterized Queries Performance Implications18
Experiments • We will show 2 experiments made by David Berry (worked extensively with both Oracle and SQL Server with a special interest in database performance tuning) concerning performance implications of parameterized queries. Why Parameterized Queries Performance Implications19
• David berry focused on four different metrics for the analysis: – The total elapsed time use to process n queries. – The total CPU time used by SQL Server to process n queries. – The total number of plans in SQL Server’s plan cache after processing n queries. – The total amount of memory used by SQL Server’s plan cache after processing n queries. Why Parameterized Queries Performance Implications20
A Most Basic Query • We created a table called UsZipCodes that contains a record for every zip code in the United States along with the associated city, state, longitude and latitude. In total, there are 42,741 rows in the table. Why Parameterized Queries Performance Implications21
• For both dynamic SQL and parameterized SQL, we will execute a query that selects a single record from the table by querying on the zip code itself. • This query will then be repeated 5000 times with a different zip code each time. • Executing this query 5000 times will comprise a single test run. To make sure the results are repeatable, we have performed this test 20 times. Why Parameterized Queries Performance Implications22
• Parameterized queries are shown to run about 33% faster than the dynamic SQL queries • The dynamic SQL uses roughly 3.3 times the amount of CPU on the database server as the parameterized query. • The table below shows the results for the average of all 20 runs. Why Parameterized Queries Performance Implications23
• SQL Server is using simple parameterization to automatically parameterize the dynamic SQL. Inspecting the plan cache data shows that for dynamic SQL, there are 5000 different shell plans and a single auto-parameterized execution plan. Why Parameterized Queries Performance Implications24
Query with a Join and an Order By • This experiment is using the AdventureWorksLT database • Since the AdventureWorksLT contains a small data sample size, we used a data generator to insert data into the primary tables in the database. • In this test database, the SalesOrderHeader table contains about 650,000 rows and the SalesOrderDetail table around 8.5 million rows. This larger dataset will provide more realistic test conditions for our test. Why Parameterized Queries Performance Implications25
• Consider the query below: SELECT h.SalesOrderID, h.OrderDate, h.SubTotal As OrderSubTotal, p.Name AS ProductName, d.OrderQty, d.ProductID, d.UnitPrice, d.LineTotal FROM SalesLT.SalesOrderHeader h INNER JOIN SalesLT.SalesOrderDetail d ON h.SalesOrderID = d.SalesOrderID INNER JOIN SalesLT.Product p ON d.ProductID = p.ProductID WHERE h.CustomerID = @customer_id AND h.OrderDate > @start_date AND h.OrderDate < @end_date ORDER BY h.SalesOrderID, d.LineTotal; Why Parameterized Queries Performance Implications26
• the query was executed 100 times. A total of 20 test runs each were conducted. The results are shown in the table below • The parameterized version of the query has an elapsed time that is 10.8% less than its dynamic SQL counterpart • The dynamic SQL version of the query uses 3.7 times more CPU than the parameterized version Why Parameterized Queries Performance Implications27
Experiment Conclusion • The results show that on SQL Server, there is a measurable performance impact of using parameterized queries versus dynamic SQL. The difference in performance can be seen in all every aspect of performance measured. By choosing dynamic SQL, an application will see response times that are slower than if parameterized queries are used. This will ultimately be reflected in the response time of the application, perhaps giving the user the impression that application performance is sluggish. Why Parameterized Queries Performance Implications28
SINGLE AND DOUBLE QUOTES PROBLEMS 29
• Most programmers find parameterized queries easier to avoid errors when they don‘t have to keep track of single and double quotes to construct SQL strings using VB.NET variables. Why Parameterized Queries Single and Double quotes problems30
DISADVANTAGES 31
QUERIES ARE EMBEDDED INTO APPLICATION CODE 32
• One of the main disadvantages is that since the queries are embedded into your application code, you could end up with the same query in multiple places. This duplication can be eliminated by creating a central location to store your queries. • Query are created for one application. • DBA have no control over the code which executes on application, which can be a unsafe for large databases. Disadvantages queries are embedded into application code33
PARAMETERIZED QUERIES VS STORED PROCEDURES 34
Parameterized queries • DBA’s have less control on queries. • Parameters can be add while building query string. • Good Execution time. • Used by single application Stored procedures • DBA’s have a very good control on queries • Fixed parameters number • Good Execution time. • Created once used by many applications • More secure; queries are written on the data layer Parameterized queries VS Stored Procedures35
• It’s up to you to choose working with Parameterized queries or Stored Procedures (According to the application and data properties and many other factors…) 36 Parameterized queries VS Stored Procedures
PARAMETERIZED QUERIES USING VB.NET 37
38 Parameterized queries using Vb.net
Any Question? 39
Thank you for listening 40

Recommended

C++ And Object in lecture3
C++ And Object in lecture3C++ And Object in lecture3
C++ And Object in lecture3
UniSoftCorner Pvt Ltd India.
 
C# Inheritance
C# InheritanceC# Inheritance
C# Inheritance
Prem Kumar Badri
 
C# Constructors
C# ConstructorsC# Constructors
C# Constructors
Prem Kumar Badri
 
Variable scope ppt in vb6
Variable scope ppt in vb6Variable scope ppt in vb6
Variable scope ppt in vb6
AmanHooda4
 
7.data types in c#
7.data types in c#7.data types in c#
7.data types in c#Zeeshan Ahmad
 
Database backup and recovery
Database backup and recoveryDatabase backup and recovery
Database backup and recovery
Anne Lee
 
Std 12 computer chapter 6 object oriented concepts (part 2)
Std 12 computer chapter 6 object oriented concepts (part 2)Std 12 computer chapter 6 object oriented concepts (part 2)
Std 12 computer chapter 6 object oriented concepts (part 2)
Nuzhat Memon
 
Introduction to java beans
Introduction to java beansIntroduction to java beans
Introduction to java beans
Hitesh Parmar
 

Recommended

C++ And Object in lecture3
C++ And Object in lecture3C++ And Object in lecture3
C++ And Object in lecture3
UniSoftCorner Pvt Ltd India.
 
C# Inheritance
C# InheritanceC# Inheritance
C# Inheritance
Prem Kumar Badri
 
C# Constructors
C# ConstructorsC# Constructors
C# Constructors
Prem Kumar Badri
 
Variable scope ppt in vb6
Variable scope ppt in vb6Variable scope ppt in vb6
Variable scope ppt in vb6
AmanHooda4
 
7.data types in c#
7.data types in c#7.data types in c#
7.data types in c#Zeeshan Ahmad
 
Database backup and recovery
Database backup and recoveryDatabase backup and recovery
Database backup and recovery
Anne Lee
 
Std 12 computer chapter 6 object oriented concepts (part 2)
Std 12 computer chapter 6 object oriented concepts (part 2)Std 12 computer chapter 6 object oriented concepts (part 2)
Std 12 computer chapter 6 object oriented concepts (part 2)
Nuzhat Memon
 
Introduction to java beans
Introduction to java beansIntroduction to java beans
Introduction to java beans
Hitesh Parmar
 
Constructor
ConstructorConstructor
Constructorpoonamchopra7975
 
Constructor and Destructor in c++
Constructor and Destructor in c++Constructor and Destructor in c++
Constructor and Destructor in c++
aleenaguen
 
Objects and classes in Visual Basic
Objects and classes in Visual BasicObjects and classes in Visual Basic
Objects and classes in Visual Basic
Sangeetha Sg
 
Sql queries presentation
Sql queries presentationSql queries presentation
Sql queries presentation
NITISH KUMAR
 
C# lecture 2: Literals , Variables and Data Types in C#
C# lecture 2: Literals , Variables and Data Types in C#C# lecture 2: Literals , Variables and Data Types in C#
C# lecture 2: Literals , Variables and Data Types in C#
Dr.Neeraj Kumar Pandey
 
Type of database models
Type of database modelsType of database models
Type of database models
SanthiNivas
 
Visual programming
Visual programmingVisual programming
Visual programming
Dr. C.V. Suresh Babu
 
class and objects
class and objectsclass and objects
class and objectsPayel Guria
 
Stored procedure
Stored procedureStored procedure
Stored procedurebaabtra.com - No. 1 supplier of quality freshers
 
Lecture 04 normalization
Lecture 04 normalization Lecture 04 normalization
Lecture 04 normalization emailharmeet
 
Datatype in c++ unit 3 -topic 2
Datatype in c++ unit 3 -topic 2Datatype in c++ unit 3 -topic 2
Datatype in c++ unit 3 -topic 2
MOHIT TOMAR
 
Introduction to database & sql
Introduction to database & sqlIntroduction to database & sql
Introduction to database & sql
zahid6
 
Java OOP Programming language (Part 6) - Abstract Class & Interface
Java OOP Programming language (Part 6) - Abstract Class & InterfaceJava OOP Programming language (Part 6) - Abstract Class & Interface
Java OOP Programming language (Part 6) - Abstract Class & Interface
OUM SAOKOSAL
 
Error handling in ASP.NET
Error handling in ASP.NETError handling in ASP.NET
Error handling in ASP.NETbaabtra.com - No. 1 supplier of quality freshers
 
File handling
File handlingFile handling
File handling
Nilesh Dalvi
 
Sql ppt
Sql pptSql ppt
Sql pptAnuja Lad
 
Methods in C#
Methods in C#Methods in C#
Methods in C#
Prasanna Kumar SM
 
C# Value Data Types and Reference Data Types
C# Value Data Types and Reference Data TypesC# Value Data Types and Reference Data Types
C# Value Data Types and Reference Data Types
Micheal Ogundero
 
Std 12 computer chapter 6 object oriented concepts (part 1)
Std 12 computer chapter 6 object oriented concepts (part 1)Std 12 computer chapter 6 object oriented concepts (part 1)
Std 12 computer chapter 6 object oriented concepts (part 1)
Nuzhat Memon
 
Ms sql-server
Ms sql-serverMs sql-server
Ms sql-server
Md.Mojibul Hoque
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12cPresentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Ronald Francisco Vargas Quesada
 

More Related Content

What's hot

Constructor and Destructor in c++
Constructor and Destructor in c++Constructor and Destructor in c++
Constructor and Destructor in c++
aleenaguen
 
Objects and classes in Visual Basic
Objects and classes in Visual BasicObjects and classes in Visual Basic
Objects and classes in Visual Basic
Sangeetha Sg
 
Sql queries presentation
Sql queries presentationSql queries presentation
Sql queries presentation
NITISH KUMAR
 
C# lecture 2: Literals , Variables and Data Types in C#
C# lecture 2: Literals , Variables and Data Types in C#C# lecture 2: Literals , Variables and Data Types in C#
C# lecture 2: Literals , Variables and Data Types in C#
Dr.Neeraj Kumar Pandey
 
Type of database models
Type of database modelsType of database models
Type of database models
SanthiNivas
 
Visual programming
Visual programmingVisual programming
Visual programming
Dr. C.V. Suresh Babu
 
class and objects
class and objectsclass and objects
class and objectsPayel Guria
 
Lecture 04 normalization
Lecture 04 normalization Lecture 04 normalization
Lecture 04 normalization emailharmeet
 
Datatype in c++ unit 3 -topic 2
Datatype in c++ unit 3 -topic 2Datatype in c++ unit 3 -topic 2
Datatype in c++ unit 3 -topic 2
MOHIT TOMAR
 
Introduction to database & sql
Introduction to database & sqlIntroduction to database & sql
Introduction to database & sql
zahid6
 
Java OOP Programming language (Part 6) - Abstract Class & Interface
Java OOP Programming language (Part 6) - Abstract Class & InterfaceJava OOP Programming language (Part 6) - Abstract Class & Interface
Java OOP Programming language (Part 6) - Abstract Class & Interface
OUM SAOKOSAL
 
File handling
File handlingFile handling
File handling
Nilesh Dalvi
 
Methods in C#
Methods in C#Methods in C#
Methods in C#
Prasanna Kumar SM
 
C# Value Data Types and Reference Data Types
C# Value Data Types and Reference Data TypesC# Value Data Types and Reference Data Types
C# Value Data Types and Reference Data Types
Micheal Ogundero
 
Std 12 computer chapter 6 object oriented concepts (part 1)
Std 12 computer chapter 6 object oriented concepts (part 1)Std 12 computer chapter 6 object oriented concepts (part 1)
Std 12 computer chapter 6 object oriented concepts (part 1)
Nuzhat Memon
 
Ms sql-server
Ms sql-serverMs sql-server
Ms sql-server
Md.Mojibul Hoque
 

What's hot (20)

Constructor
ConstructorConstructor
Constructor
 
Constructor and Destructor in c++
Constructor and Destructor in c++Constructor and Destructor in c++
Constructor and Destructor in c++
 
Objects and classes in Visual Basic
Objects and classes in Visual BasicObjects and classes in Visual Basic
Objects and classes in Visual Basic
 
Sql queries presentation
Sql queries presentationSql queries presentation
Sql queries presentation
 
C# lecture 2: Literals , Variables and Data Types in C#
C# lecture 2: Literals , Variables and Data Types in C#C# lecture 2: Literals , Variables and Data Types in C#
C# lecture 2: Literals , Variables and Data Types in C#
 
Type of database models
Type of database modelsType of database models
Type of database models
 
Visual programming
Visual programmingVisual programming
Visual programming
 
class and objects
class and objectsclass and objects
class and objects
 
Stored procedure
Stored procedureStored procedure
Stored procedure
 
Lecture 04 normalization
Lecture 04 normalization Lecture 04 normalization
Lecture 04 normalization
 
Datatype in c++ unit 3 -topic 2
Datatype in c++ unit 3 -topic 2Datatype in c++ unit 3 -topic 2
Datatype in c++ unit 3 -topic 2
 
Introduction to database & sql
Introduction to database & sqlIntroduction to database & sql
Introduction to database & sql
 
Java OOP Programming language (Part 6) - Abstract Class & Interface
Java OOP Programming language (Part 6) - Abstract Class & InterfaceJava OOP Programming language (Part 6) - Abstract Class & Interface
Java OOP Programming language (Part 6) - Abstract Class & Interface
 
Error handling in ASP.NET
Error handling in ASP.NETError handling in ASP.NET
Error handling in ASP.NET
 
File handling
File handlingFile handling
File handling
 
Sql ppt
Sql pptSql ppt
Sql ppt
 
Methods in C#
Methods in C#Methods in C#
Methods in C#
 
C# Value Data Types and Reference Data Types
C# Value Data Types and Reference Data TypesC# Value Data Types and Reference Data Types
C# Value Data Types and Reference Data Types
 
Std 12 computer chapter 6 object oriented concepts (part 1)
Std 12 computer chapter 6 object oriented concepts (part 1)Std 12 computer chapter 6 object oriented concepts (part 1)
Std 12 computer chapter 6 object oriented concepts (part 1)
 
Ms sql-server
Ms sql-serverMs sql-server
Ms sql-server
 

Similar to Sql parametrized queries

SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
PetraVukmirovic
 
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12cPresentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Ronald Francisco Vargas Quesada
 
Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"
Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"
Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"
Fwdays
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAsOracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Zohar Elkayam
 
Configuring Sage 500 for Performance
Configuring Sage 500 for PerformanceConfiguring Sage 500 for Performance
Configuring Sage 500 for Performance
RKLeSolutions
 
05_DP_300T00A_Optimize.pptx
05_DP_300T00A_Optimize.pptx05_DP_300T00A_Optimize.pptx
05_DP_300T00A_Optimize.pptx
KareemBullard1
 
Optimizer overviewoow2014
Optimizer overviewoow2014Optimizer overviewoow2014
Optimizer overviewoow2014
Mysql User Camp
 
SQL Server ASYNC_NETWORK_IO Wait Type Explained
SQL Server ASYNC_NETWORK_IO Wait Type ExplainedSQL Server ASYNC_NETWORK_IO Wait Type Explained
SQL Server ASYNC_NETWORK_IO Wait Type Explained
Confio Software
 
Boosting the Performance of your Rails Apps
Boosting the Performance of your Rails AppsBoosting the Performance of your Rails Apps
Boosting the Performance of your Rails Apps
Matt Kuklinski
 
Stored procedure in sql server
Stored procedure in sql serverStored procedure in sql server
Stored procedure in sql server
baabtra.com - No. 1 supplier of quality freshers
 
Modernizing your database with SQL Server 2019
Modernizing your database with SQL Server 2019Modernizing your database with SQL Server 2019
Modernizing your database with SQL Server 2019
Antonios Chatzipavlis
 
Upcoming changes in MySQL 5.7
Upcoming changes in MySQL 5.7Upcoming changes in MySQL 5.7
Upcoming changes in MySQL 5.7
Morgan Tocker
 
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL ServerGeek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
IDERA Software
 
Introduction 6.1 01_architecture_overview
Introduction 6.1 01_architecture_overviewIntroduction 6.1 01_architecture_overview
Introduction 6.1 01_architecture_overview
Anvith S. Upadhyaya
 
Store procedures
Store proceduresStore procedures
Store procedures
Farzan Wadood
 
SFDC Inbound Integrations
SFDC Inbound IntegrationsSFDC Inbound Integrations
SFDC Inbound Integrations
Sujit Kumar
 
Access Data from XPages with the Relational Controls
Access Data from XPages with the Relational ControlsAccess Data from XPages with the Relational Controls
Access Data from XPages with the Relational Controls
Teamstudio
 
Secrets of highly_avail_oltp_archs
Secrets of highly_avail_oltp_archsSecrets of highly_avail_oltp_archs
Secrets of highly_avail_oltp_archsTarik Essawi
 
EM12c: Capacity Planning with OEM Metrics
EM12c: Capacity Planning with OEM MetricsEM12c: Capacity Planning with OEM Metrics
EM12c: Capacity Planning with OEM Metrics
Maaz Anjum
 

Similar to Sql parametrized queries (20)

SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
 
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12cPresentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12c
 
Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"
Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"
Денис Резник "Зачем мне знать SQL и Базы Данных, ведь у меня есть ORM?"
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAsOracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
 
Configuring Sage 500 for Performance
Configuring Sage 500 for PerformanceConfiguring Sage 500 for Performance
Configuring Sage 500 for Performance
 
05_DP_300T00A_Optimize.pptx
05_DP_300T00A_Optimize.pptx05_DP_300T00A_Optimize.pptx
05_DP_300T00A_Optimize.pptx
 
Optimizer overviewoow2014
Optimizer overviewoow2014Optimizer overviewoow2014
Optimizer overviewoow2014
 
SQL Server ASYNC_NETWORK_IO Wait Type Explained
SQL Server ASYNC_NETWORK_IO Wait Type ExplainedSQL Server ASYNC_NETWORK_IO Wait Type Explained
SQL Server ASYNC_NETWORK_IO Wait Type Explained
 
Boosting the Performance of your Rails Apps
Boosting the Performance of your Rails AppsBoosting the Performance of your Rails Apps
Boosting the Performance of your Rails Apps
 
Stored procedure in sql server
Stored procedure in sql serverStored procedure in sql server
Stored procedure in sql server
 
Addhoc query
Addhoc queryAddhoc query
Addhoc query
 
Modernizing your database with SQL Server 2019
Modernizing your database with SQL Server 2019Modernizing your database with SQL Server 2019
Modernizing your database with SQL Server 2019
 
Upcoming changes in MySQL 5.7
Upcoming changes in MySQL 5.7Upcoming changes in MySQL 5.7
Upcoming changes in MySQL 5.7
 
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL ServerGeek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
Geek Sync I Need for Speed: In-Memory Databases in Oracle and SQL Server
 
Introduction 6.1 01_architecture_overview
Introduction 6.1 01_architecture_overviewIntroduction 6.1 01_architecture_overview
Introduction 6.1 01_architecture_overview
 
Store procedures
Store proceduresStore procedures
Store procedures
 
SFDC Inbound Integrations
SFDC Inbound IntegrationsSFDC Inbound Integrations
SFDC Inbound Integrations
 
Access Data from XPages with the Relational Controls
Access Data from XPages with the Relational ControlsAccess Data from XPages with the Relational Controls
Access Data from XPages with the Relational Controls
 
Secrets of highly_avail_oltp_archs
Secrets of highly_avail_oltp_archsSecrets of highly_avail_oltp_archs
Secrets of highly_avail_oltp_archs
 
EM12c: Capacity Planning with OEM Metrics
EM12c: Capacity Planning with OEM MetricsEM12c: Capacity Planning with OEM Metrics
EM12c: Capacity Planning with OEM Metrics
 

More from Hadi Fadlallah

RaDEn : A Scalable and Efficient Platform for Engineering Radiation Data
RaDEn : A Scalable and Efficient Platform for Engineering Radiation DataRaDEn : A Scalable and Efficient Platform for Engineering Radiation Data
RaDEn : A Scalable and Efficient Platform for Engineering Radiation Data
Hadi Fadlallah
 
ORADIEX : A Big Data driven smart framework for real-time surveillance and an...
ORADIEX : A Big Data driven smart framework for real-time surveillance and an...ORADIEX : A Big Data driven smart framework for real-time surveillance and an...
ORADIEX : A Big Data driven smart framework for real-time surveillance and an...
Hadi Fadlallah
 
What makes it worth becoming a Data Engineer?
What makes it worth becoming a Data Engineer?What makes it worth becoming a Data Engineer?
What makes it worth becoming a Data Engineer?
Hadi Fadlallah
 
Introduction to Data Engineering
Introduction to Data EngineeringIntroduction to Data Engineering
Introduction to Data Engineering
Hadi Fadlallah
 
An introduction to Business intelligence
An introduction to Business intelligenceAn introduction to Business intelligence
An introduction to Business intelligence
Hadi Fadlallah
 
Big data lab as a service
Big data lab as a serviceBig data lab as a service
Big data lab as a service
Hadi Fadlallah
 
Risk management and IT technologies
Risk management and IT technologiesRisk management and IT technologies
Risk management and IT technologies
Hadi Fadlallah
 
Fog computing
Fog computingFog computing
Fog computing
Hadi Fadlallah
 
Inertial sensors
Inertial sensors Inertial sensors
Inertial sensors
Hadi Fadlallah
 
Big Data Integration
Big Data IntegrationBig Data Integration
Big Data Integration
Hadi Fadlallah
 
Cloud computing pricing models
Cloud computing pricing modelsCloud computing pricing models
Cloud computing pricing models
Hadi Fadlallah
 
Internet of things security challenges
Internet of things security challengesInternet of things security challenges
Internet of things security challenges
Hadi Fadlallah
 
Marketing Mobile
Marketing MobileMarketing Mobile
Marketing Mobile
Hadi Fadlallah
 
Secure Aware Routing Protocol
Secure Aware Routing ProtocolSecure Aware Routing Protocol
Secure Aware Routing Protocol
Hadi Fadlallah
 
Bhopal disaster
Bhopal disasterBhopal disaster
Bhopal disaster
Hadi Fadlallah
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless network
Hadi Fadlallah
 
Cyber propaganda
Cyber propagandaCyber propaganda
Cyber propaganda
Hadi Fadlallah
 
Dhcp authentication using certificates
Dhcp authentication using certificatesDhcp authentication using certificates
Dhcp authentication using certificates
Hadi Fadlallah
 
Introduction to Data mining
Introduction to Data miningIntroduction to Data mining
Introduction to Data mining
Hadi Fadlallah
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
Hadi Fadlallah
 

More from Hadi Fadlallah (20)

RaDEn : A Scalable and Efficient Platform for Engineering Radiation Data
RaDEn : A Scalable and Efficient Platform for Engineering Radiation DataRaDEn : A Scalable and Efficient Platform for Engineering Radiation Data
RaDEn : A Scalable and Efficient Platform for Engineering Radiation Data
 
ORADIEX : A Big Data driven smart framework for real-time surveillance and an...
ORADIEX : A Big Data driven smart framework for real-time surveillance and an...ORADIEX : A Big Data driven smart framework for real-time surveillance and an...
ORADIEX : A Big Data driven smart framework for real-time surveillance and an...
 
What makes it worth becoming a Data Engineer?
What makes it worth becoming a Data Engineer?What makes it worth becoming a Data Engineer?
What makes it worth becoming a Data Engineer?
 
Introduction to Data Engineering
Introduction to Data EngineeringIntroduction to Data Engineering
Introduction to Data Engineering
 
An introduction to Business intelligence
An introduction to Business intelligenceAn introduction to Business intelligence
An introduction to Business intelligence
 
Big data lab as a service
Big data lab as a serviceBig data lab as a service
Big data lab as a service
 
Risk management and IT technologies
Risk management and IT technologiesRisk management and IT technologies
Risk management and IT technologies
 
Fog computing
Fog computingFog computing
Fog computing
 
Inertial sensors
Inertial sensors Inertial sensors
Inertial sensors
 
Big Data Integration
Big Data IntegrationBig Data Integration
Big Data Integration
 
Cloud computing pricing models
Cloud computing pricing modelsCloud computing pricing models
Cloud computing pricing models
 
Internet of things security challenges
Internet of things security challengesInternet of things security challenges
Internet of things security challenges
 
Marketing Mobile
Marketing MobileMarketing Mobile
Marketing Mobile
 
Secure Aware Routing Protocol
Secure Aware Routing ProtocolSecure Aware Routing Protocol
Secure Aware Routing Protocol
 
Bhopal disaster
Bhopal disasterBhopal disaster
Bhopal disaster
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless network
 
Cyber propaganda
Cyber propagandaCyber propaganda
Cyber propaganda
 
Dhcp authentication using certificates
Dhcp authentication using certificatesDhcp authentication using certificates
Dhcp authentication using certificates
 
Introduction to Data mining
Introduction to Data miningIntroduction to Data mining
Introduction to Data mining
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
 

Recently uploaded

SOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape ReportSOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape Report
SOCRadar
 
一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单
enxupq
 
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
v3tuleee
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP
 
standardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghhstandardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghh
ArpitMalhotra16
 
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Subhajit Sahu
 
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
yhkoc
 
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdfSample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Linda486226
 
Opendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptxOpendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptx
Opendatabay
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
Oppotus
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
ewymefz
 
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
ewymefz
 
一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单
ewymefz
 
Adjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTESAdjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTES
Subhajit Sahu
 
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
slg6lamcq
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
ahzuo
 
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
nscud
 
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
vcaxypu
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
pchutichetpong
 

Recently uploaded (20)

SOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape ReportSOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape Report
 
一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单
 
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
 
standardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghhstandardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghh
 
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
 
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
 
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdfSample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
Sample_Global Non-invasive Prenatal Testing (NIPT) Market, 2019-2030.pdf
 
Opendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptxOpendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptx
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
 
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
 
一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单一比一原版(BU毕业证)波士顿大学毕业证成绩单
一比一原版(BU毕业证)波士顿大学毕业证成绩单
 
Adjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTESAdjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTES
 
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
 
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
 
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
 

Sql parametrized queries

  • 2. Index • Definition • Why Parameterized Queries? • Disadvantages • Parameterized queries VS Stored Procedures • Parameterized queries using Vb.net 2
  • 3. Definition • “Parameterized query (also known as prepared statement) is a technique of query execution which separates a query string from query parameters values”. 3
  • 5. Protection against SQL Injection Attack
  • 6. • If the contents of a text field are just passed to SQL Server and executed, then that text field can contain a complete new query that does something totally different. • A parameter works because it‘s treated as a literal value rather than executable code. And it's also checked for type and length. Why Parameterized Queries Protection against SQL Injection Attack6
  • 7. • A typical SQL injection string would have to be much longer, and the SqlParameter class would throw an exception. Why Parameterized Queries Protection against SQL Injection Attack7
  • 8. Example • Dynamic Sql Query • The command built in the application is : “SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = ' “ + @Firstname + “';” • If we searched a Customer table (first name column) for this value for this value : Ali';Truncate Table dbo.Customers;-- Why Parameterized Queries Protection against SQL Injection Attack8
  • 9. • The CommandText will be as shown below SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = 'Ali'; Truncate Table dbo.Customers;--' ; Why Parameterized Queries Protection against SQL Injection Attack9
  • 10. • The Command Text is composed of 4 parts: 1. SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = 'Ali'; 2. Truncate Table dbo.Customers; 3. --' ; Why Parameterized Queries Protection against SQL Injection Attack10
  • 11. • Parameterized SQL Query if we made a search on the same value Ali';Truncate Table dbo.Customer;-- • This value will be passed as a parameter @FirstName (varchar(255),Text) Why Parameterized Queries Protection against SQL Injection Attack 11
  • 12. 12 Why Parameterized Queries Protection against SQL Injection Attack • The command text will be as shown below •SELECT * FROM DbCustomers.dbo.Customers WHERE FirstName = @firstname;
  • 13. • [Firstname] will be compared with the value: “Ali';Truncate Table dbo.Customer;--” 13 Why Parameterized Queries Protection against SQL Injection Attack
  • 15. • From the point of view of a developer, there is no difference between dynamic and parameterized queries, but there are many from the point of view of SQL Server. Why Parameterized Queries Performance Implications15
  • 16. • When using dynamic queries the entire query has to be constructed and compiled by SQL Server every time • When using parameterized queries SQL Server generates a query execution plan just once and then plugs the parameter value into it. Why Parameterized Queries Performance Implications16
  • 17. Simple Parameterization feature • In cases in which values are specified explicitly, as in query below, SQL Server invokes a feature known as ‘simple parameterization’. SELECT ZipCode, Latitude, Longitude, City, State, Country FROM dbo.UsZipCodes WHERE ZipCode = '54911' • Simple parameterization is designed to reduce the resource cost associated with parsing SQL queries and forming execution plans by automatically parameterizing queries. Why Parameterized Queries Performance Implications17
  • 18. Simple Parameterization feature • With simple parameterization, SQL Server actually creates two execution plans for this query. • The first execution plan is a shell plan containing a pointer to the second execution plan. Why Parameterized Queries Performance Implications18
  • 19. Experiments • We will show 2 experiments made by David Berry (worked extensively with both Oracle and SQL Server with a special interest in database performance tuning) concerning performance implications of parameterized queries. Why Parameterized Queries Performance Implications19
  • 20. • David berry focused on four different metrics for the analysis: – The total elapsed time use to process n queries. – The total CPU time used by SQL Server to process n queries. – The total number of plans in SQL Server’s plan cache after processing n queries. – The total amount of memory used by SQL Server’s plan cache after processing n queries. Why Parameterized Queries Performance Implications20
  • 21. A Most Basic Query • We created a table called UsZipCodes that contains a record for every zip code in the United States along with the associated city, state, longitude and latitude. In total, there are 42,741 rows in the table. Why Parameterized Queries Performance Implications21
  • 22. • For both dynamic SQL and parameterized SQL, we will execute a query that selects a single record from the table by querying on the zip code itself. • This query will then be repeated 5000 times with a different zip code each time. • Executing this query 5000 times will comprise a single test run. To make sure the results are repeatable, we have performed this test 20 times. Why Parameterized Queries Performance Implications22
  • 23. • Parameterized queries are shown to run about 33% faster than the dynamic SQL queries • The dynamic SQL uses roughly 3.3 times the amount of CPU on the database server as the parameterized query. • The table below shows the results for the average of all 20 runs. Why Parameterized Queries Performance Implications23
  • 24. • SQL Server is using simple parameterization to automatically parameterize the dynamic SQL. Inspecting the plan cache data shows that for dynamic SQL, there are 5000 different shell plans and a single auto-parameterized execution plan. Why Parameterized Queries Performance Implications24
  • 25. Query with a Join and an Order By • This experiment is using the AdventureWorksLT database • Since the AdventureWorksLT contains a small data sample size, we used a data generator to insert data into the primary tables in the database. • In this test database, the SalesOrderHeader table contains about 650,000 rows and the SalesOrderDetail table around 8.5 million rows. This larger dataset will provide more realistic test conditions for our test. Why Parameterized Queries Performance Implications25
  • 26. • Consider the query below: SELECT h.SalesOrderID, h.OrderDate, h.SubTotal As OrderSubTotal, p.Name AS ProductName, d.OrderQty, d.ProductID, d.UnitPrice, d.LineTotal FROM SalesLT.SalesOrderHeader h INNER JOIN SalesLT.SalesOrderDetail d ON h.SalesOrderID = d.SalesOrderID INNER JOIN SalesLT.Product p ON d.ProductID = p.ProductID WHERE h.CustomerID = @customer_id AND h.OrderDate > @start_date AND h.OrderDate < @end_date ORDER BY h.SalesOrderID, d.LineTotal; Why Parameterized Queries Performance Implications26
  • 27. • the query was executed 100 times. A total of 20 test runs each were conducted. The results are shown in the table below • The parameterized version of the query has an elapsed time that is 10.8% less than its dynamic SQL counterpart • The dynamic SQL version of the query uses 3.7 times more CPU than the parameterized version Why Parameterized Queries Performance Implications27
  • 28. Experiment Conclusion • The results show that on SQL Server, there is a measurable performance impact of using parameterized queries versus dynamic SQL. The difference in performance can be seen in all every aspect of performance measured. By choosing dynamic SQL, an application will see response times that are slower than if parameterized queries are used. This will ultimately be reflected in the response time of the application, perhaps giving the user the impression that application performance is sluggish. Why Parameterized Queries Performance Implications28
  • 29. SINGLE AND DOUBLE QUOTES PROBLEMS 29
  • 30. • Most programmers find parameterized queries easier to avoid errors when they don‘t have to keep track of single and double quotes to construct SQL strings using VB.NET variables. Why Parameterized Queries Single and Double quotes problems30
  • 32. QUERIES ARE EMBEDDED INTO APPLICATION CODE 32
  • 33. • One of the main disadvantages is that since the queries are embedded into your application code, you could end up with the same query in multiple places. This duplication can be eliminated by creating a central location to store your queries. • Query are created for one application. • DBA have no control over the code which executes on application, which can be a unsafe for large databases. Disadvantages queries are embedded into application code33
  • 35. Parameterized queries • DBA’s have less control on queries. • Parameters can be add while building query string. • Good Execution time. • Used by single application Stored procedures • DBA’s have a very good control on queries • Fixed parameters number • Good Execution time. • Created once used by many applications • More secure; queries are written on the data layer Parameterized queries VS Stored Procedures35
  • 36. • It’s up to you to choose working with Parameterized queries or Stored Procedures (According to the application and data properties and many other factors…) 36 Parameterized queries VS Stored Procedures
  • 38. 38 Parameterized queries using Vb.net
  • 40. Thank you for listening 40

Editor's Notes

  1. Index ===== Definition Why Parameterized Queries? Protection against SQL Injection Attack Performance Implications Single and double quotes Problems Disadvantages Queries are embedded into application code Parameterized queries VS Stored Procedures Parameterized queries using Vb.net ===============================
  2. Definition Reference: * Author: Mateusz Zoltak * URL: http://cran.r-project.org/web/packages/RODBCext/vignettes/Parameterized_SQL_queries.html * Date Posted: 2014-07-04 * Date Retrieved: 2014-09-11