Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Sloan Holliday The Zero to N Parameter Problem (Sql Server 2005 and Up -- Update) RE: The Zero to N Parameter Problem (Sql Server 2005 and Up -- Update)

  • December 10, 2013 at 10:04 am

    #1672376

    Interesting idea to use XML as a means of passing the parameters, could certainly be very practical.

    I am interested in the blanket statement: 'dynamic SQL is a bad idea'? Yes, if handled improperly there is the possibility of a SQL injection attack. However, this is mitigated with the use of the parameter list. The biggest obstacles I have found to deal with depends on the number of applicable predicate conditions. If the list is short, say less than or equal to ten conditions, then code maintenance isn't that bad. As that list increases, I will admit that it becomes a hassle to maintain.

    Erland Sommarskog provides probably the best documentation on how to handle dynamic search conditions. He provides multiple solutions, evaluating the pro's and con's of each:

    http://www.sommarskog.se/dyn-search.html

    And then choose to view the document based on the version of SQL Server that fits your situation.