一、提高效能的方法:
1.Remember that database access is relatively expensive—it
consumes both time and resources.
2.應用一個控制項屬性多次是,最好先把屬性放到一個局部變量中
二、處理錯誤
1.防禦代碼
In general, you should always check incoming parameters if the method is a public one—that is, it is
called from outside the class. If it’s a method that isn’t accessible from outside of the class (private or
556
Chapter 15
protected), then this is less important because you’re probably supplying those parameters yourself,
although this doesn’t necessarily mean the parameters will be correct—you might get the values from
elsewhere before passing them into the method.
2.The solution to SQL injection is to use parameters, because these automatically prevent this type of attack.
If you’re using stored procedures, which you should be, then parameters are required for passing information
into the procedure, but when you’re building SQL dynamically, you can still use parameters. So if
you were running a SqlCommand, you could do this:
string SQL = “SELECT * FROM Employee WHERE LastName=@LastName”
SqlCommand cmd = new SqlCommand(SQL, conn);
cmd.Parameters.Append(“@LastName”, SqlDbType.VarChar, 50);
cmd.Paramaters[“@LastName”].Value = LastName.Text;
Here @LastName is the parameter name, and because the value is assigned via the parameter, no SQL
injection can take place. This is because ADO.NET protects against SQL injection attacks when using
parameters—the values passed into parameters are checked for specific content that would signify an
attack.
