Rule Definition
Direct access to database Table prevents the control at the database level of accesses. E.g.: use of non-optimized query against the database.
Remediation
Use Stored Procedures instead
Violation Code Sample
SqlConnection sqlConnection1 = new SqlConnection("Your Connection String");
SqlCommand cmd = new SqlCommand();
SqlDataReader reader;
cmd.CommandText = "SELECT * FROM Customers"; // violation
cmd.CommandType = CommandType.Text;
cmd.Connection = sqlConnection1;
sqlConnection1.Open();
reader = cmd.ExecuteReader();
// Data is accessible through the DataReader object here.
sqlConnection1.Close();
Fixed Code Sample
SqlConnection sqlConnection1 = new SqlConnection ("Data Source=server;integrated " + "Security=sspi;initial catalog=pubs;");
SqlCommand testCmd = new SqlCommand ("TestProcedure", sqlConnection1 );
testCmd.CommandType = CommandType.StoredProcedure;
SqlParameter RetVal = testCmd.Parameters.Add
("RetVal", SqlDbType.Int);
PubsConn.Open();
SqlDataReader myReader = testCmd.ExecuteReader();
Console.WriteLine ("List of Customers:");
while (myReader.Read())
{
Console.WriteLine ("{0}", myReader.GetString (2));
};
myReader.Close();
Reference
CISQ rule: ASCPEM-PRF-9.
Related Technologies
ASP
Visual Basic
.Net
JEE
Technical Criterion
Architecture - Multi-Layers and Data Access
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.