Comment Re:Use a persistence library (Score 1) 267
I know how to do CTEs, sorting, paging, all of that stuff. That is not the issue. The issue is there is no benefit to having this all in stored procs other than the fact that you get to lock down by execute permission only. IF that is your goal in life, then fine, do it. But there is a lot of benefit to be had by using dynamic SQL generation, so long as you are protecting against injection. There is no need to throw everything in a proc, especially read only queries using strongly typed parameterized statements. I generally do all update or insert code in procs, and I will do complicated queries I construct with Lambdas using LINQ. This is so much faster to develop, doesn't litter my code with SQL, and look, it's just about as secure as your way. I don't understand what the huge deal is with everyone saying 'must stored procedure!' I have been doing this for 15 years, I'm not an idiot, I have seen the shift in opinion from one way of doing this to the other more than once. It's just stupid to say that you have to always do stored procs. My complexity examples were just that, examples. Maybe not the greatest examples, but I was trying to illustrate that if you have to change just one little thing, like maybe I use conditions 1 and 12, and next time I use 25,26, and 27, it's ridiculous to put that all in a proc, when i'm just doing some filtering. The reason I throw up the idea of the server side paging is because the typical solution is to draw it all back and filter client side, which i hate, but throwing that on an already complicated multiple parameter proc just makes it that much moreso. i wasn't implying that I, you, or anyone, doesn't know HOW, I'm saying that the idea that you MUST do it in a proc is ridiculous.