Generally DB access should be done via a self-written abstraction layer. Wheter the DB supports Stored Procedures or not is irrelevant then. You write one implementation per DBMS, all based on the same interface or abstract base class. The actuall programm only uses what is defined in said interface/base class, so wich of the DBMS adapters is instantiated is irreleavant.
This makes swapping out one DBMS class for the other a single line change. Here is a good example of this design:
http://ift.tt/1oOIoAR
Even taking user input and connacting it into a query without sanitizing is a very bad idea:
Ideally use SQL-Paramters, as they are type safe and injection proof (http://ift.tt/LyDxBo).
Taking the whole query as string from any source is just asking for someone to write down "DROP DATABASE" into a line. And your DB-Code should never allow that (and before you think about it, jsut filtering for keywords is nto going to work either. What if someone writese a commet "--this should not drop the database"?)
Let's talk about MVVM: http://ift.tt/1fpEgna Please mark post as helpfull and answers respectively.
No comments:
Post a Comment