由网友(哑剧真动)分享简介：我有被别人写在我的web项目中的以下code：I have the following code that was written by someone else in my web project:StringBuilder sql = new StringBuilder("");// Define sqlsql....

我有被别人写在我的web项目中的以下code：

I have the following code that was written by someone else in my web project:

    StringBuilder sql = new StringBuilder("");

    // Define sql
    sql.Append("SELECT title ");
    sql.Append("FROM MyTable ");
    sql.Append(string.Format("WHERE id = {0} AND Var = '{1}'", myId, myVar));

    DataTable dtGroups = SqlHelper.GetDataTable(sql.ToString());

    if (dtGroups.Rows.Count > 0)
    {

        foreach (DataRow dr in dtGroups.Rows)
        {
            return dr["title"].ToString();
        }
    }

    return "";

我再有一个辅助类名为SqlHelper.cs它有这个方法：

I then have a helper class called SqlHelper.cs which has this method:

  public static DataTable GetDataTable(string sql) {
        return GetDataTable(sql, MyConnectionString);
    }

是否把SqlHelper类构成DAL？什么是做事的正确方法？我应该创建你所发送的SQL到DAL类和刚拿到冠军回来（如SqlHelper.GetTitle（SQL））？

Does the SqlHelper class constitute a DAL? What is the proper way of doing things? Should I create a DAL classes that you will send the sql to and just get the title returned (like SqlHelper.GetTitle(sql))?

推荐答案

这code是刚刚的坏的。 SQL注入;数据表没有任何理由; StringBuilder的没有理由。在这里，它只是做了，用短小精悍（免费提供的NuGet）：

That code is just bad. SQL injection; DataTable for no reason; StringBuilder for no reason. Here it is done simply, using "dapper" (freely available on NuGet):

using(var conn = GetSomeConnection()) { // <== todo
    return conn.Query<string>(
        "select title from MyTable where id=@id and Var=@var",
        new { id = myId, var = myVar }).FirstOrDefault() ?? "";
}

这是：

在注射安全（完全参数化） 直接（比如数据表没有不必要的层） 优化