I have 2 different update queries, one I created:
x
UPDATE_QUERY = ""UPDATE_QUERY = UPDATE_QUERY & "UPDATE ORGBHVTasklist "UPDATE_QUERY = UPDATE_QUERY & "SET TaskID = NULL "UPDATE_QUERY = UPDATE_QUERY & "WHERE TaskID = ? "set cmd = server.CreateObject("ADODB.Command")cmd.ActiveConnection = objConcmd.CommandText = UPDATE_QUERYset paramID = cmd.CreateParameter("@id", 3, 1, , taskID)cmd.Parameters.Append paramIDcmd.executemy colleague preferred this one:
UPDATE_QUERY = ""UPDATE_QUERY = UPDATE_QUERY & "SELECT taskid "UPDATE_QUERY = UPDATE_QUERY & "FROM ORGBHVTasklist "UPDATE_QUERY = UPDATE_QUERY & "Where taskID = "&taskID&" " set objUpdate = Server.CreateObject("ADODB.Recordset")objUpdate.CursorType = 2objUpdate.LockType = 3objUpdate.Open UPDATE_QUERY, objConobjUpdate.Fields("taskid") = NULLobjUpdate.UpdateobjUpdate.closeSet objUpdate = nothingHe can’t explain which one should be better and neither can I. The only difference I have, is that the update on the second query crashes when there are no results to update.
Can anyone explain what’s the difference?
Advertisement
Answer
To sum it up:
The first approach (parameterized query/prepared statement) is best, because it
- is easy: automagical quoting and formatting of the parameters
- can be more efficient: the DBMS may optimize
- avoids fetching and storing the resultset (@Ansgar)
- scales better: would work for many records without change
- guards against SQL-Injection
The second approach is worse because not having features 1 – 5 and worst/naive because not checking for an empty recordset (@peter, @Cageman).