Camillia
asked on
Code works but looking for a better way
This code works. I've used LINQ to SQL on some projects but now wondering if there's a better way of coding this. I'm using stored procs and I want to see if I can use parameters for the stored proc. I don't want to use Entity Framework
1. I have a DBML
2. I have a stored proc
3. I have a model
4. I call the stored proc like this
Is this code ok? should I leave it as is?
How can I call the stored proc with parameters? This is an example of Linq to SQL insert but it doesn't use a stored proc Example
Another one here but it's not a stored proc Another example
EDIT: I'm concerened about SQL Injection but maybe how I have it is correct. See here Example 3 It says
1. I have a DBML
2. I have a stored proc
3. I have a model
4. I call the stored proc like this
private LPDataContext _dbContext;
public FormsRepository()
{
_dbContext = new LPDataContext();
}
_dbContext.usp_InsertPersonali765Draft(model.ApplyReasonId, firstName, model.MiddleName,
familyName,
otherFirstName1, model.OtherMiddleName1, otherFamilyName1, otherFirstName2,
model.OtherMiddleName2,otherFamilyName2, otherFirstName3, model.OtherMiddleName3, otherFamilyName3,
streetAddress, model.AptNumber, city, model.StateId, model.ZipCode,
int.Parse(model.CountryOfNationality),
model.BirthCity, model.BirthState,int.Parse(model.CountryOfBirth), dateOfBirth, model.Gender,
model.MaritalStatusCode, model.UserName);
Is this code ok? should I leave it as is?
How can I call the stored proc with parameters? This is an example of Linq to SQL insert but it doesn't use a stored proc Example
Another one here but it's not a stored proc Another example
EDIT: I'm concerened about SQL Injection but maybe how I have it is correct. See here Example 3 It says
Linq to SQL turns the curly braces into a parameterized query.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I can rewrite it like this
https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/linq/how-to-directly-execute-sql-queries
https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/linq/how-to-directly-execute-sql-queries
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Let me take a look.
I don't understand Kyle's response tho. You're saying linq to SQL takes care of parameterized query and how I have it now is ok?
I don't understand Kyle's response tho. You're saying linq to SQL takes care of parameterized query and how I have it now is ok?
Correct. You're essentially calling C# code and linq to SQL does the "heavy lifting" of converting it to a parameterized query.
Hi Camillia;
Linq to SQL and Linq to Entity Framework both parameterize the query and SP's it sends to the server.
Linq to SQL and Linq to Entity Framework both parameterize the query and SP's it sends to the server.
ASKER
Thanks, guys. Reading the links posted here to get a better understanding.
Not a problem Camillia, always glad to help.
ASKER
I just edited the question. I think we posted at the same time. I'm concerned about SQL Injection but what I have is probably ok because of the last link I posted
By "better", I mean using parametrized query with Linq to SQL to avoid SQL Injection.