I always have this notion that writing SQL queries in the code behind is not good compared to writing it using a SqlDataSource
SqlDataAdapter ad = new SqlDataAdapter('SELECT * FROM Categories', myConnection); DataSet ds = new DataSet(); ad.Fill(ds, 'Categories'); myGridView.DataSource = ds; myGridView.DataBind(); vs.
<asp:SqlDataSource ID='SqlDataSource1' runat='server' ConnectionString='<%$ ConnectionStrings:myConnection %>' SelectCommand='SELECT * FROM Categories' /> I feel using SqlDataSource is secure, easy to maintain. Is my concern true? Please justify.
SQL queries in the code-behind and SQL queries in a SqlDataSource are pretty much equivalent.
they’re both about the same security-wise; as for easier to maintain, SqlDataSource may be a bit easier in most cases.
A data-access layer is preferred, but SqlDataSource is sometimes a good-enough expediency. I wouldn’t hit you with a rolled-up newspaper for using one if you didn’t already have a data-access layer and it was for something simple/a one-off.