SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Problem with parameterized query


Problem with parameterized query

Author
Message
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (339K reputation)SSC Guru (339K reputation)SSC Guru (339K reputation)SSC Guru (339K reputation)SSC Guru (339K reputation)SSC Guru (339K reputation)SSC Guru (339K reputation)SSC Guru (339K reputation)

Group: General Forum Members
Points: 339781 Visits: 42624
nadersam - Wednesday, September 13, 2017 2:36 AM
bmg002 - Tuesday, September 12, 2017 1:29 PM
Phil Parkin - Tuesday, September 12, 2017 11:14 AM
bmg002 - Tuesday, September 12, 2017 10:36 AM
Good thoughts with that Thom. SQL Injection, while unlikely in a NVARCHAR(19), could occur. Your solution does eliminate the risk involved of SQL injection.
I suppose if you knew that @comp_cod would only contain integers and a comma, you could do some weird stuff with splitting the string too, but that feels a bit like overkill for this.

In the end, it all depends on what your @comp_cod variable is created from and how easy it is to manipulate the source of that to fit your needs.

IMO, I don't think that using a splitter is overkill. The code required to use one is quite concise:

CREATE TABLE #companies (CompCode NVARCHAR(10));

INSERT #companies
(
CompCode
)
VALUES
(N'2')
,(N'3')
,(N'4');

DECLARE @comp_cod NVARCHAR(19) = N'2,3';

SELECT c.*
FROM
#companies c
CROSS APPLY dbo.udfDelimitedSplit8K(@comp_cod, ',') split
WHERE c.CompCode = split.Item;

The problem with it (that I thought was overkill) was that in that example you need to have a function for the splitter. Not everyone has that installed on their systems (myself included). For everything I use SQL for at my workplace, we do not have a real-world use for a string splitter to be stored in SQL. Splitting strings doesn't feel like a SQL task, but more of an application task (most .NET languages for example do string splitting quite well). So building a function to split the string (yes, I know it has been done on the forum and optimized to death) still feels like overkill to me.

But now I feel like I am getting off topic.

Using same idea i was able to split it using a table valued function and use the result in the in clause.

Thanks for all the replies, i appreciate it.
Nader


Please post the table valued function that you ended up using.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
patrickmcginnis59 10839
patrickmcginnis59 10839
SSCertifiable
SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)

Group: General Forum Members
Points: 6621 Visits: 6150
Thom A - Wednesday, September 13, 2017 1:47 AM
bmg002 - Tuesday, September 12, 2017 1:29 PM

The problem with it (that I thought was overkill) was that in that example you need to have a function for the splitter. Not everyone has that installed on their systems (myself included). For everything I use SQL for at my workplace, we do not have a real-world use for a string splitter to be stored in SQL. Splitting strings doesn't feel like a SQL task, but more of an application task (most .NET languages for example do string splitting quite well). So building a function to split the string (yes, I know it has been done on the forum and optimized to death) still feels like overkill to me.

But now I feel like I am getting off topic.


I Definitely wouldn't suggest that splitting strings is an application task. Consider that in SSRS if you're passing multi valued parameters, that they are provided in a delimited string. If you didn't split those in SQL, how would you use it? Just an example. Smile

SSRS can actually do this for you, but you'll have to use an "in" expresison in your "where" clause and then SSRS will hardwire the comma'd parameters before sending the entire mess to SQL. You CAN use the splitter server side tho, so you have your choice. I found this out by tracing a report one of my compadres did and thats what happened, SSRS built a list of all the multivalued selections and sent the entire hardwired list to the server.

What I did was instead send the list to the server instead and split it there, but I did it on the fly without the delimiter8k function, I just included code in the sql that was called to split the list. I couldn't use the delimit8k at the time but nothing stops you from doing similar code inline without the function right?


to properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
Dharma
Dharma
Forum Newbie
Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)

Group: General Forum Members
Points: 8 Visits: 37
You can use the below query directly if you are using the latest version as it Microsoft implemented STRING_SPLIT() built-in function which converts a string into rows as per the seperator. If this function is not available in your version, you can use the logic in the next to populate the table variable and use in the query as explained above.

exec sp_executesql N'select * from companies CROSS APPLY STRING_SPLIT(@comp_cod,'','') AS S where comp_cod = S.value',N'@comp_cod nvarchar(19)',@comp_cod=N'2,3'


--populate table variable using the below logic, and then use the same in the query as per Thom

declare @comp_cod varchar(10)='2,3'

select R.r.value('.','varchar(100)')as comp_code
From (
select cast(('<R>'+replace(@comp_cod,',','</R><R>')+'</R>') as xml) as Code
) as C
cross apply Code.nodes('/R')as R(r)
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search