Click here to monitor SSC
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in
Home       Members    Calendar    Who's On

Add to briefcase «««123

forming a dynamic query Expand / Collapse
Posted Wednesday, May 7, 2014 10:04 AM



Group: General Forum Members
Last Login: Tuesday, December 6, 2016 8:08 PM
Points: 16,145, Visits: 16,850
a4apple (5/7/2014)
I believe you can write this query without using DYNAMIC SQL. but the only part that confuses me is @CID. You specified it as integer, and you are passing a name to it.

You can write something like this
FROM [Transaction]
WHERE Transdt BETWEEN CONVERT(VARCHAR (10),@transfrmdt,111) AND CONVERT(VARCHAR (10),@transtodt,111)
AND (@Cid IS NULL OR Cid = @cid)
AND (NULLIF(@Type, '') IS NULL OR [Type] = @Type)

This was mentioned already more than once. This is an example of a catch-all query. They work but usually have some negative performance implications. You can read more about this type of query here.


Need help? Help us help you.

Read the article at for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Post #1568568
Posted Wednesday, May 7, 2014 12:07 PM



Group: General Forum Members
Last Login: Today @ 8:40 AM
Points: 42,081, Visits: 39,472
Sean Lange (5/7/2014)
Jeff Moden (5/6/2014)
Sean Lange (5/1/2014)
The first and the biggest issue is this is wide open to sql injection.

In most cases, I'd strongly agree with you but... with two DATE, one INT, and one CHAR(1) parameters, I'd have to say that SQL Injection is impossible for the given code.

As to whether or not dynamic SQL is required for the original query or not goes, I'd have to agree with you and the others... NOT.

Yes I even said as much in my post. However, the OP is struggling with a concept here and we all know what happens when you have dynamic sql that is working and somebody comes along and adds another value to the mix. At some point they will add a varchar to the mix and because the initial work was done in a format that allows it this will be wide open. Or the other side of that is that they will use this same technique on another process because it worked here. I am just trying to help the OP learn a better way of doing this so that in the future their code will be safe.


fixed a spelling error.

Ah... understood. Thanks, Sean.

--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

Helpful Links:
How to post code problems
How to post performance problems
Post #1568636
« Prev Topic | Next Topic »

Add to briefcase «««123

Permissions Expand / Collapse