I have 100% ad hoc sql through out my
application. A buddy of mine
recommended that I convert to stored
procedures for the extra performance
and security.
I would not worry about performance until there are actual pain points. For example, someone is using your application and complains that it's slow. Until you reach that point, your time is best spend improving your application.
In security, you have to balance effort versus risk. If your site doesn't store anything of value, even SQL Injection is a perfectly acceptable risk, as proven by a great number of web sites out there :)
