From the .NET tag (and only from the tag) I'm going assume SQL Server here. Parametrized queries are excellent for projects that have a single application and modest security requirements. The require less effort to set up, and many ORM systems are going to use them if you like it or not.
On the other hand, if your database is handled by multiple applications and you need to enforce consistency of access, or if you need complex security (partial access to tables, either by column or by row or both) you should be using stored procedures. They allow you to enforce your security requirements and provide a consistent interface so applications don't violate your data rules.
As far as performance goes, I haven't noticed enough difference between the two to care these days: parametrized queries plan caching seems to work well enough.
No comments:
Post a Comment