3

Could anyone tell me perhaps whether there is a good reason to use one of the following two blocks of code rather than the other?

using (SqlTransaction mySqlTransaction = mySqlConnection.BeginTransaction)
{
    using (SqlCommand mySqlCmd =
        new SqlCommand("First of many SQL statements here", mySqlConnection, mySqlTransaction)
    {
        mySqlCmd.Parameters.Add("@MyFirstParm", SqlDbType.Int).Value = myFirstVal;
        mySqlCmd.ExecuteNonQuery();
    }

    using (SqlCommand mySqlCmd =
        new SqlCommand("Second of many SQL statements here", mySqlConnection, mySqlTransaction)
    {
        mySqlCmd.Parameters.Add("@MySecondParm", SqlDbType.Int).Value = mySecondVal;
        mySqlCmd.ExecuteNonQuery();
    }

    .
    .
    .

    sqlTransaction.Commit();
}

vs.

using (SqlTransaction mySqlTransaction = mySqlConnection.BeginTransaction)
{
    using (SqlCommand mySqlCmd = new SqlCommand("", mySqlConnection, mySqlTransaction)
    {
        mySqlCmd.Parameters.Add("@MyFirstParm", SqlDbType.Int).Value = myFirstVal;
        mySqlCmd.Parameters.Add("@MySecondParm", SqlDbType.Int).Value = mySecondVal;

        mySqlCmd.CommandText = "First of many SQL statements here";
        mySqlCmd.ExecuteNonQuery();

        mySqlCmd.CommandText = "Second of many SQL statements here";
        mySqlCmd.ExecuteNonQuery();

        .
        .
        .
    }

    sqlTransaction.Commit();
}
4

3 回答 3

2

I would go with 1 since you are having a fresh set of parameters for each SqlCommand.

I would also suggest moving these into separate methods or even doing it as a sproc.

于 2013-10-17T13:13:23.830 回答
1

Advantages of A: Two separate commands is slightly less confusing than using the same command for two statements and you can change the SQLcommand overloads for command 2 without affecting command 1 Advantages of B: Uses slightly less resources and less code (if that matters to you)

Advantages of both: You can wrap the single method in a try catch to make both required to be successful for transaction to be committed, otherwise rollback.

Disadvantages of both: Hard coding SQL inside a method in modern times is very dangerous, if these parameters are coming from any text fields in any UI objects than your DB can get messed up from SQL injection attacks. It is more confusing to have one db method executing two separate statements than just handling the statements within a stored proc. Also, using stored procs and changing your commandtype to commandtype.storedprocedure will prevent sql injection attacks from coming in via parameters (in most cases). There are plenty of great articles on SQL injection out there, here is a relevant one.

http://blogs.msdn.com/b/raulga/archive/2007/01/04/dynamic-sql-sql-injection.aspx

于 2013-10-17T13:36:33.380 回答
0

But for your case a third option can be a stored procedure that takes 2 params and executes all your statements internally. In this case you need only a single executeNonQuery instruction.

于 2013-10-17T13:18:10.503 回答