Home Forums SQL Server 7,2000 Performance Tuning Stored Procedure speed versus Select Statement RE: Stored Procedure speed versus Select Statement

  • November 10, 2008 at 1:48 pm

    #896554

    GilaMonster (11/10/2008)

    Patrick Russell (11/10/2008)

    I guess I hadn't thought of that. I actually try to stay away from dynamic sql. I always thought there where sql injection issues with it. Only use it if its really necessary. This may qualify.

    Providing you use sp_executesql properly with parameters, there's no sql injection issue here. Dynamic SQL is a use only when absolutely necessary technique, but this is one of those places where there really isn't a good alternative that performs well.

    Wouldn't the User still need Select permissions on the tables?

    Yes. Make sure it's just select and just on those tables.

    Tell me if I am wrong, but wouldn't this be one of those times in SQL Server 2005 (Yes, I know this is a SQL Server 7, 2000 forum,but, have to ask) that using the EXECUTE AS and an "internal username" with select only permissions on the necessary tables would be worthwhile?