Friday, May 4, 2007

What is difference between ExecuteReader, ExecuteNonQuery and ExecuteScalar.

  • ExecuteReader : Use for accessing data. It provides a forward-only, read-only, connected recordset.
  • ExecuteNonQuery : Use for data manipulation, such as Insert, Update, Delete.
  • ExecuteScalar : Use for retriving 1 row 1 col. value., i.e. Single value. eg: for retriving aggregate function. It is faster than other ways of retriving a single value from DB.

Improving Performance with Connection Pooling

Opening a connection is a database-intensive task. It can be one of the slowest operations that you perform in an ASP.NET page. Furthermore, a database has a limited supply of connections, and each connection requires a certain amount of memory overhead (approximately 40 kilobytes per connection).

If you plan to have hundreds of users hitting your Web site simultaneously, the process of opening a database connection for each user can have a severe impact on the performance of your Web site.

Fortunately, you can safely ignore these bad warnings if you take advantage of connection pooling. When database connections are pooled, a set of connections is kept open so that they can be shared among multiple users. When you request a new connection, an active connection is removed from the pool. When you close the connection, the connection is placed back in the pool.

Connection pooling is enabled for both OleDb and SqlClient connections by default.

To take advantage of connection pooling, you must be careful to do two things in your ASP.NET pages. First, you must be careful to use the same exact connection string whenever you open a database connection. Only those connections opened with the same connection string can be placed in the same connection pool. For this reason you should place your connection string in the web.config file and retrieve it from this file whenever you need to open a connection

To take advantage of connection pooling in your ASP.NET pages, you also must be careful to explicitly close whatever connection you open as quickly as possible. If you do not explicitly close a connection with the Close() method, the connection is never added back to the connection pool.

connection pooling options that you can add to the SQL Server connection string:

  • Connection Lifetime— Destroys a connection after a certain number of seconds. The default value is 0, which indicates that connections should never be destroyed.
  • Connection Reset— Indicates whether connections should be reset when they are returned to the pool. The default value is true.
  • Enlist— Indicates whether a connection should be automatically enlisted in the current transaction context. The default value is true.
  • Max Pool Size— The maximum number of connections allowed in a single connection pool. The default value is 100.
  • Min Pool Size— The minimum number of connections allowed in a single connection pool. The default value is 0.
  • Pooling— Determines whether connection pooling is enabled or disabled. The default value is true.

Strongly Typed Dataset Object

Strongly typed Dataset object allows you to create early-bound data retrieval expression.

Advantage of Strongly Typed dataset

  • It is faster than late-bound data retrieval expression.
  • Its column name is shown in intellisense as you type code.

Difference between Dataset and DataReader : Points to be consider while choosing between the DataSet and DataReader objects

DataSet object

DataReader object

Read/Write access

Read-only access

Supports multiple tables from different databases

Supports a single table based on a single SQL query of one database

Disconnected mode

Connected mode

Bind to multiple controls

Bind to a single control

Forward and backward scanning of data

Forward-only scanning of data

Slower access to data

Faster access to data

Greater overhead to enable additional features

Lightweight object with very little overhead

Supported by Visual Studio .NET tools

Must be manually coded

Thursday, May 3, 2007

SQL Injection Problem

SQL injection is a strategy for attacking databases.

Example1:
An ASP page asks the user for a name and a password, and then sends the following string to the database:
SELECT FROM users WHERE username = 'whatever' AND password = 'mypassword'

It seems safe, but it isn't. A user might enter something like this as her user name:
' OR 1>0 --

When this is plugged into the SQL statement, the result looks like this:
SELECT FROM users WHERE username = '' OR 1>0 -- AND password = ''

This injection comments out the password portion of the statement. It results in a list of all the names in the users table, so any user could get into your system.

The easiest way to prevent this sort of injection is to parse the SQL string and remove any occurrences of "--" before passing the statement.

Example 2:
You also have to beware of injections that contain semicolons because semicolons delimit SQL statements. Think about the implications of a user name like this:
' OR 1>0 ; DELETE Customers ; --


There are numerous ways a malicious user might penetrate your system using SQL injection and various defenses, but the simplest approach is to avoid dynamic SQL. Instead, use stored procedures everywhere. Thanks to the way SQL passes parameters, injections such as those above will produce errors, and the stored procedure will not execute.

Most Recent Post

Most Recent Ado.net FAQ

Most Recent .Net Framework FAQ

Most Recent Configuration Files FAQ

Daily Quote, Inspiration, Motivation and More

Subscribe Blog via Email

Enter your email address: