When to use Db.GetSqlStringCommand?

Topics: Data Access Application Block
Aug 29, 2007 at 10:10 PM
I want to know when I will need to use Db.GetSqlStringCommand. The examples that I have seen are all due to parameters. But what is the difference if I simply construct the command string when I issue Db.ExecuteReader?

Db.ExecuteReader("select * from customers where customerid = '" + id + '")

Aug 30, 2007 at 1:43 PM
It is not because of parameters.

The difference between GetSqlStringCommand and GetStoredProcCommand is to set the DbCommand object's CommandType to Text and StoredProcedure, respectively.

You are free to pass in any valid SQL statement to GetSqlStringCommand, with or without parameters. However, the use of parameters is recommended to avoid opening your application up to SQL injection attacks.

Matthew Noonan
EasyObjects.NET -- The O/RM for the Enterprise Library
Aug 30, 2007 at 1:45 PM

Using parameters is usually more efficient because it lets the DB engine to cache the queries' plans. However DB engines are quite sophisticated now so this may no longer apply, and in some cases using a different plan for different values is better (like when the distribution of values is very asymmetrical). Here are some posts the subject:

Hope this helps,
Aug 30, 2007 at 6:44 PM
Hi Matthew,

Thanks for the reply. I guess my question may not be too clear. Do I really need to have the DbCommand object since ExecuteReader accepts string as a parameter?

Aug 30, 2007 at 6:47 PM
Hi Fernando,

Thanks for those links about query-parameterization.

Apr 7, 2009 at 7:38 PM
Edited Apr 7, 2009 at 8:07 PM
Can someone please provide an example of how to use parameterized sql with the enterprise library (4.0) (for example to return multiple rows to a dataset)? I can't seem to make anything work...
Apr 8, 2009 at 2:17 AM
Answered in this thread - http://entlib.codeplex.com/Thread/View.aspx?ThreadId=52597

Sarah Urmeneta
Global Technology & Solutions
Avanade, Inc.