New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

Use DAL+ ExecuteSQL for truly rapid DotNetNuke® Module development

Using the ExecuteSQL method of the DotNetNuke Data Access Layer allows you to quickly and easily create DotNetNuke modules that access the database.

SQL vs. Stored Procedures

I love stored procedures as much as the next developer and have used them for years. However, during development I use the ExecuteSQL method of the DAL+ to initially create the module and later I turn the SQL statements into stored procedures.

The ExecuteSQL code looks like this (note: I am not using a data provider class for brevity):

 Dim mySqlString As New StringBuilder()
"SELECT * From DesktopModules")
Me.GridView1.DataSource = CType(DataProvider.Instance().ExecuteSQL(mySqlString.ToString()), IDataReader)

This allows truly rapid DotNetNuke Module development. There are cases where I would like to leave the code as SQL statements but previously I didn't because of two factors:

  • Risk of SQL Injection attacks
  • Supporting the {databaseOwner} and {objectQualifier} features of the DotNetNuke framework

While researching another issue I ran across this code in the DotNetNuke Core that solves both of those problems:

This is an overloaded function of the ExecuteSQL method and it addresses the two previous concerns. I altered my Super Simple DAL+ Tutorial to use code like this:

Dim mySqlString As New StringBuilder()

mySqlString.Append("SELECT FriendlyName, Description ")
"FROM {databaseOwner}{objectQualifier}DesktopModules ")
"WHERE Description like '%' + @SearchString + '%' ")
"ORDER BY FriendlyName")

Dim myParam As SqlParameter = New SqlParameter("@SearchString", SqlDbType.VarChar, 150)
myParam.Value = SearchString

Me.GridView1.DataSource = CType(DataProvider.Instance().ExecuteSQL(mySqlString.ToString(), myParam), IDataReader)

Even if you decide to use stored procedures, the ExecuteSQL method will allow you to quickly create your module because you wont have to  create the stored procedures until the final step. When you do create the stored procedures, you will be able to cut and paste most of the code.

If you decide to use the ExecuteSQL statements in production, you will only need database scripts to create and alter your tables. If you use ANSI compatible SQL syntax your module should also work with alternate databases such as Oracle and MySQL.

In addition, remember, The DAL+ is not just ExecuteSQL. It consists of 4 methods:

  • ExecuteNonQuery - Used to execute a stored procedure that will not return a value.
  • ExecuteReader - Used to execute a stored procedure that will return multiple records.
  • ExecuteScalar - Used to execute a stored procedure that will return a single value.
  • ExecuteSQL - Used to execute a sql statement.


Comment Form

Only registered users may post comments.


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Davies (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out