0

I have two formats and they are shown below.

Format 1 :

printstring = printstring & "---------------------------------------" & vbNewLine

Format 2 :

printstring = String.Format("{0}---------------------------------------{1}", printstring, vbNewLine)

It was recommended to follow Format 2 by a Code Optimization Tool.

Is there any specific reason for this? Like memory consumption or some other reason?

Tharif
  • 13,794
  • 9
  • 55
  • 77
  • First sample actually doesn't formats anything. It is constant string without any variable parts. – Andrey Korneyev May 22 '15 at 08:40
  • 2
    These two lines of code do not do the same thing at all... – Jean Hominal May 22 '15 at 08:40
  • It's even better to use SqlParameter instead of full-text string in your case. But, string.format is better for readability – cdie May 22 '15 at 08:40
  • 7
    I would use [parameterized queries](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/) instead. – Soner Gönül May 22 '15 at 08:40
  • 2
    The second line is surely wrong (SQL-like injection). The first one I'm not sure it works... It depend to whom you give the query – xanatos May 22 '15 at 08:41
  • The second query can lead to sql injection attacks , the first one is just a string , use parameters – Coder1409 May 22 '15 at 08:41
  • @xanatos second format do help sql injection – Tharif May 22 '15 at 08:41
  • Are you sure the first line isn't: `Query = "select * from tbl_Jab WHERE productName='" + grd.CurrentRow.Cells(1).Value + "'";`? Because it seems fishy – xanatos May 22 '15 at 08:42
  • What kind of code optimization tool is that? Sounds fishy to me. – Yuval Itzchakov May 22 '15 at 08:42
  • 3
    @utility: No, the second format really doesn't. You're still just putting the string into the SQL. **Don't do this.** Use parameterized SQL, that's what it's there for. – Jon Skeet May 22 '15 at 08:42
  • 1
    from a non SQL point the second string is the way to go , but for SQL it's the worst way , you're exposing yourself to SQL injection attacks – Coder1409 May 22 '15 at 08:44
  • It's really not clear now why you've got the SQL part. Your question is unclear in general... – Jon Skeet May 22 '15 at 08:50
  • And here is another question that will address your question: [Why use String.Format?](https://stackoverflow.com/questions/4671610/why-use-string-format) – oleksii May 22 '15 at 08:53
  • thank you all ..dont know why all doubts are previously asked :) ! – Tharif May 22 '15 at 08:53

2 Answers2

1

Your code is suffering from SQL injection.

String formats are more efficient with large strings than string concatenations. They are also slightly easier to read. Both are perfectly valid.

To fix your SQL injection issue, you will want to parametrize your query:

using System;
using System.Data.SqlClient;

class Program
{
    static void Main()
    {
    //
    // The name we are trying to match.
    //
    string dogName = "Fido";
    //
    // Use preset string for connection and open it.
    //
    string connectionString =
        ConsoleApplication1.Properties.Settings.Default.ConnectionString;
    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        connection.Open();
        //
        // Description of SQL command:
        // 1. It selects all cells from rows matching the name.
        // 2. It uses LIKE operator because Name is a Text field.
        // 3. @Name must be added as a new SqlParameter.
        //
        using (SqlCommand command = new SqlCommand(
        "SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
        {
        //
        // Add new SqlParameter to the command.
        //
        command.Parameters.Add(new SqlParameter("Name", dogName));
        //
        // Read in the SELECT results.
        //
        SqlDataReader reader = command.ExecuteReader();
        while (reader.Read())
        {
            int weight = reader.GetInt32(0);
            string name = reader.GetString(1);
            string breed = reader.GetString(2);
            Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}",
            weight,
            name,
            breed);
        }
        }
    }
    }
}

Output (This varies depending on your database contents.)

Weight = 130, Name = Fido, Breed = Bullmastiff

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
aydjay
  • 858
  • 11
  • 25
0

I may be wrong here, but it looks like "grd.CurrentRow.Cells(1).Value" will resolve to a value in your c# code. You then intend to send this to the database. In other words your Format 2 will replace "grd.CurrentRow.Cells(1).Value" with a value before it goes to the database. Your Format 1 won't so is most likely incorrect and will not work.

In terms of performance, parameterizing queries is always recommended as it allows SQL Server's (if that is the database you are using) built in optimizer to build a query plan to optimise regular run queries. It will store this plan in a cache, so if you keep making the same types of queries, SQL Server should know the best way to call it after you have made one\more calls. Using Entity Framework or Stored Procedures to do data access will help you out here rather than building hard coded sql statements.

See these links for more information:

sarin
  • 5,227
  • 3
  • 34
  • 63