Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Is this Correct Use of Dynamic SQL??? Expand / Collapse
Author
Message
Posted Friday, September 27, 2013 11:19 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Monday, October 21, 2013 3:10 AM
Points: 81, Visits: 191
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go

-- =============================================
-- Author: <Author,,Name>
-- Create date: <Create Date,,>
-- Description: <Description,,>
-- =============================================
ALTER PROCEDURE [dbo].[SearchBiography]

@firstname nvarchar(50),
@middlename nvarchar(50),
@lastname nvarchar(50),
@sexID int,
@statusID int


AS
BEGIN

SET NOCOUNT ON;
DECLARE @SqlQuery varchar(max) , @SqlQueryFirstName varchar(max),@SqlQueryMiddleName varchar(max), @SqlQueryLastName varchar(max), @SqlQuerySex varchar(max), @SqlQueryStatus varchar(max)

SET @SqlQuery = ''
SET @SqlQueryStatus = ''
SET @SqlQueryFirstname = ''
SET @SqlQueryMiddlename = ''
SET @SqlQueryLastName = ''
SET @SqlQuerySex = ''
SET @SqlQueryStatus = ''


IF @sexID <> 0

SET @SqlQuerySex = ' WHERE sexID = ' + convert(varchar(20), @sexID)

IF @statusID <> 0
BEGIN
IF LEN(@SqlQuerySex) > 0
SET @SqlQueryStatus = ' AND statusID = ' + convert(varchar(20), @statusID)
ELSE
SET @SqlQueryStatus = ' WHERE statusID = ' + convert(varchar(20), @statusID)
END

IF LEN(@firstname) > 0
BEGIN
IF LEN(@SqlQuerySex) > 0 or LEN(@SqlQueryStatus) > 0
SET @SqlQueryFirstname = ' AND firstname like ''%' + @firstname + '%'''
ELSE
SET @SqlQueryFirstname = ' WHERE firstname like ''%' + @firstname + '%'''
END

IF LEN(@middlename) > 0
BEGIN
IF LEN(@SqlQuerySex) > 0 or LEN(@SqlQueryStatus) > 0 or LEN(@SqlQueryFirstname) > 0
SET @SqlQueryMiddlename = ' AND middlename like ''%' + @middlename + '%'''
ELSE
SET @SqlQueryMiddlename = ' WHERE middlename like ''%' + @middlename + '%'''
END

IF LEN(@lastname) > 0
BEGIN
IF LEN(@SqlQuerySex) > 0 or LEN(@SqlQueryStatus) > 0 or LEN(@SqlQueryFirstname) > 0 or LEN(@SqlQueryMiddlename) > 0
SET @SqlQueryLastname = ' AND lastname like ''%' + @lastname + '%'''
ELSE
SET @SqlQueryLastname = ' WHERE lastname like ''%' + @lastname + '%'''
END

SELECT @SqlParam = ' @xfirstname nvarchar(50),
@xmiddlename nvarchar(50),
@xlastname nvarchar(50),
@xsexID int,
@xstatusID int '

EXEC sp_executesql, @SqlParam, @firstname,@middlename,@lastname,@sexID,@statusID

END




Post #1499637
Posted Saturday, September 28, 2013 12:26 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Yesterday @ 9:09 PM
Points: 746, Visits: 4,783
The correct use for dynamic SQL is Option 1: DON'T, especially if you're a noob.

If you understand the repercussions of code that can't be optimized, and SQL injection attacks, etc, then knock yourself out.

It's perfectly okay to have a lot of stored procedures in your database, because those can be optimized.
Post #1499641
Posted Saturday, September 28, 2013 12:51 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Monday, October 21, 2013 3:10 AM
Points: 81, Visits: 191
pietlinden (9/28/2013)
The correct use for dynamic SQL is Option 1: DON'T, especially if you're a noob.

If you understand the repercussions of code that can't be optimized, and SQL injection attacks, etc, then knock yourself out.

It's perfectly okay to have a lot of stored procedures in your database, because those can be optimized.


I can't understand :-(..please elaborate more please
Post #1499643
Posted Saturday, September 28, 2013 12:51 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Monday, October 21, 2013 3:10 AM
Points: 81, Visits: 191
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go

-- =============================================
-- Author: <Author,,Name>
-- Create date: <Create Date,,>
-- Description: <Description,,>
-- =============================================
ALTER PROCEDURE [dbo].[SearchBiography]

@firstname nvarchar(50),
@middlename nvarchar(50),
@lastname nvarchar(50),
@sexID nchar(5) = NULL,
@statusID nchar(5) = NULL

AS
BEGIN

SET NOCOUNT ON;
DECLARE @SqlQuery nvarchar(max) , @SqlParam nvarchar(max)

SET @SqlQuery = ''

SELECT @SqlQuery = ' SELECT * ' + ' FROM TestMyView WHERE 1 = 1 '

IF @sexID <> '0'

SELECT @SqlQuery = @SqlQuery + ' AND sexID LIKE ' + @sexID

IF @statusID <> '0'

SELECT @SqlQuery = @SqlQuery + ' AND statusID LIKE ' + @statusID

IF LEN(@firstname) > 0

SELECT @SqlQuery = @SqlQuery + ' AND firstname LIKE ''%'+@firstname+'%'''

IF LEN(@middlename) > 0

SELECT @SqlQuery = @SqlQuery + ' AND middlename LIKE ''%'+@middlename+'%'''

IF LEN(@lastname) > 0

SELECT @SqlQuery = @SqlQuery + ' AND lastname LIKE ''%'+@lastname+'%'''


SELECT @SqlParam = '@xfirstname nvarchar(50),
@xmiddlename nvarchar(50),
@xlastname nvarchar(50),
@xsexID nchar(5),
@xstatusID nchar(5) '


EXEC sp_executesql @SqlQuery,@SqlParam,
@firstname, @middlename,
@lastname, @sexID,
@statusID
END




How about this??..huhuhuhuh ;-(
Post #1499644
Posted Saturday, September 28, 2013 1:08 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Yesterday @ 9:04 PM
Points: 23,302, Visits: 32,057
What are the correct data types for the following columns:

sexID
statusID
firstname
middlename
lastname




Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
Post #1499645
Posted Saturday, September 28, 2013 1:13 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Monday, October 21, 2013 3:10 AM
Points: 81, Visits: 191
Lynn Pettis (9/28/2013)
What are the correct data types for the following columns:

sexID
statusID
firstname
middlename
lastname



sexID int
statusID int
firstname varchar(20)
middlename varchar(20)
lastname varchar(20)

that is in my table
Post #1499646
Posted Saturday, September 28, 2013 1:23 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Yesterday @ 9:04 PM
Points: 23,302, Visits: 32,057
enriquezreyjoseph (9/28/2013)
Lynn Pettis (9/28/2013)
What are the correct data types for the following columns:

sexID
statusID
firstname
middlename
lastname



sexID int
statusID int
firstname varchar(20)
middlename varchar(20)
lastname varchar(20)

that is in my table


Okay, then based on the info above, your code is inefficient. Your parameters to both your stored procedure and the dynamic sql you are building should match the data types of the columns in your table/view.

Also, the way you wrote your last dynamic sql you don't even need the parameters you defined, you aren't using them. The code you have written is ripe for SQL injection.



Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
Post #1499647
Posted Saturday, September 28, 2013 2:38 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 5:57 AM
Points: 2,434, Visits: 7,514
When you post in multiple threads like this, you fragment answers and make people have to start from the beginning again with helping you. If you have further questions, stick to your original thread please.


Not a DBA, just trying to learn

For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better, quicker answers on SQL Server performance related questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/



If you litter your database queries with nolock query hints, are you aware of the side effects?
Try reading a few of these links...

(*) Missing rows with nolock
(*) Allocation order scans with nolock
(*) Consistency issues with nolock
(*) Transient Corruption Errors in SQL Server error log caused by nolock
(*) Dirty reads, read errors, reading rows twice and missing rows with nolock


LinkedIn | Blog coming soon (for sufficiently large values of "soon" )!
Post #1499659
Posted Saturday, September 28, 2013 5:05 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 7:33 AM
Points: 42,841, Visits: 35,969
All of the posted code is vulnerable to SQL injection. Please, please, for the third or fourth time, read up on SQL injection and don't use dynamic SQL until you have done so and understand how and why it's such a risk.

You've got sp_execute SQL with parameters being passed to it, but those parameters are never used anywhere in the dynamic SQL and hence give you no protection at all. Passing parameters is not the key. Using only parameters is the key

Additionally, you have been referred, more than once, to my blog post on how to do catch-all queries safely with no injection risk.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1499675
Posted Sunday, September 29, 2013 5:45 PM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Monday, October 21, 2013 3:10 AM
Points: 81, Visits: 191
GilaMonster (9/28/2013)
All of the posted code is vulnerable to SQL injection. Please, please, for the third or fourth time, read up on SQL injection and don't use dynamic SQL until you have done so and understand how and why it's such a risk.

You've got sp_execute SQL with parameters being passed to it, but those parameters are never used anywhere in the dynamic SQL and hence give you no protection at all. Passing parameters is not the key. Using only parameters is the key

Additionally, you have been referred, more than once, to my blog post on how to do catch-all queries safely with no injection risk.


Thank you sir
Post #1499799
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse