Is it a best practice to use stored procedure for every single SQL call in .NET applications?
Is it encouraged for performance reasons and to reduce surface area for SQL injection attacks (in web applications)?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it a best practice to use stored procedure for every single SQL call in .NET applications?
Is it encouraged for performance reasons and to reduce surface area for SQL injection attacks (in web applications)?
Stored procedures have a few advantages over parameterized queries:
When used exclusively, you can turn off CREATE, INSERT, SELECT, UPDATE, ALTER, DROP, DELETE, etc access for your application accounts, and this way add a small amount of security.
They provide a consistent, manageable interface when you have multiple applications using the same database.
Using procedures allows a DBA to manage and tune queries even after an application is deployed.
Deploying small changes and bug fixes is much simpler.
They also have a few disadvantages:
The number of procedures can quickly grow to the point where maintaining them is difficult, and current tools don’t provide a simple method for adequate documentation.
Parameterized queries put the database code next to the place where it’s used. Stored procedures keep it far separated, making finding related code more difficult.
Stored procedures are harder to version.
You’ll need to weigh those costs/benefits for your system.