Jeff Moden (5/6/2014)
Sean Lange (5/1/2014)
The first and the biggest issue is this is wide open to sql injection.In most cases, I'd strongly agree with you but... with two DATE, one INT, and one CHAR(1) parameters, I'd have to say that SQL Injection is impossible for the given code.
As to whether or not dynamic SQL is required for the original query or not goes, I'd have to agree with you and the others... NOT. ๐
The question is too vague and unstructured to provide anything more than a guess, so here goes:
IF @type <> '' AND @cid <> ''
SELECT * FROM tbl
WHERE [date] BETWEEN @frmdt AND @todt
AND cid = @cid
AND [type] = @type
IF @type <> ''
SELECT * FROM tbl
WHERE [date] BETWEEN @frmdt AND @todt
AND [type] = @type
IF @cid <> ''
SELECT * FROM tbl
WHERE [date] BETWEEN @frmdt AND @todt
AND cid = @cid
IF @type = '' AND @cid = ''
SELECT * FROM tbl
WHERE [date] BETWEEN @frmdt AND @todt
For fast, accurate and documented assistance in answering your questions, please read this article.
Understanding and using APPLY, (I) and (II) Paul White
Hidden RBAR: Triangular Joins / The "Numbers" or "Tally" Table: What it is and how it replaces a loop Jeff Moden