April 18, 2003 at 12:00 am
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/rmarda/howtobuilddynamicstoredprocedures.asp
Robert W. Marda
Billing and OSS Specialist - SQL Programmer
MCL Systems
April 24, 2003 at 8:14 am
Just a quick note: when building dynamic SQL in a sproc, SQL Server will not usually cache the query plan unless you use one of the built-in stored procedures to execute the code. So, instead of simply writing this:
exec (@strSQL)
It is actually better over the long run to write this:
exec sp_executeSQL @strSQL
The one drawback here is that the sproc, sp_executeSQL, expects its parameter as nVarchar, so you will be limited to 4000 characters instead of 8000. See more than you need to know in BOL.
Thanks,
DH.
April 24, 2003 at 8:39 am
I don't think we currently use sp_executeSQL and I have used it only a few times. So I am not an expert with its use. We have many dynamic stored procedures in production that have more than 4,000 characters in the query built and some even exceed 8,000 characters. So being limited to 4,000 is not an option. I tried to use the same technique I showed in example 2 of my article but couldn't get it to work so it appears there is no way to extend the max beyond 4,000 characters, where as with the EXEC command I don't know of a limit to how many varchar(8000) variables you can add together at the time you execute the code and so your code is theoretically not limited.
The trade off is that you lose benefit of most if not all caching done by SQL Server. For us this hasn't been a problem since most of what we have in production completes within a few seconds of execution with or without caching. It will depend on your individual situation if you can accept this type of performance or not.
Robert W. Marda
SQL Programmer
bigdough.com
The world’s leading capital markets contact database and software platform.
Robert W. Marda
Billing and OSS Specialist - SQL Programmer
MCL Systems
April 24, 2003 at 9:38 am
One more difference between EXEC and sp_executesql is that first one does not allow you to run parameterized queries.
sp_executesql allows you to parameterize the sql and inturn helps in caching and re-use of execution plans.
The issue related to dynamic sqls, parameterized sqls and memory is discussed in following link
http://www.sqlservercentral.com/forum/link.asp?TOPIC_ID=11407
April 24, 2003 at 9:41 am
Is there a significant performance benefit to building dynamic SQL in a stored procedure instead of from within code?
April 25, 2003 at 10:30 am
Unless you manage to get an execution plan that can be reused (and usually you don't) then you can say there is no performance benifit.
For me, the benefit is that no changes have to be made to the web site or internal applications for most changes in the stored procedure. Particularly useful when I find a quicker way to get the same result set.
You could realize a slight performance benifit because you would not have to send thousands of characters from the client to the server. With the dynamic SP you simply send the call and the code is built server side and then immediately executed.
Robert W. Marda
SQL Programmer
bigdough.com
The world’s leading capital markets contact database and software platform.
Robert W. Marda
Billing and OSS Specialist - SQL Programmer
MCL Systems
December 15, 2005 at 10:48 pm
1. There is a redundant condition check in your example. Once we start building the WHERE clause, we've already passed the first check, which would have prevented our getting down to the second check.
IF @LastName <> '' AND @NameID <> 0 ... RETURN END ... --Begin building WHERE clause IF @LastName <> '' OR @NameID <> 0 ...
2. As has already been mentioned, performance of a dynamic SP will be poorer than a static SP. It would make more sense to generate the SP externally and then import them in a SQL stream, or to hook directly into SQL Server and do it programmatically. There's been a lot of work done in the realm of code generation (heck, entire system generation) that could serve as a model for this. As with most things, we trade performance for flexibilty and vice versa.
3. It should be noted that SQLServer2005 removes the 8000 character limit. This alone should be worth the migration.
4. How does the following statement provide SQL injection attack protection?
SET @LastName = REPLACE (@LastName, '''', '''''')
December 16, 2005 at 3:37 am
As someone who's had to maintain code embedded with char(10)s everywhere I can honestly say that the advice in the first section of this article is absolute tripe. It does NOT make it easier to read, nor does it make it easier to maintain.
December 16, 2005 at 5:51 am
When printing out the SQL statements, CHAR(10) does indeed make it easier to read. Maintenance on any sproc that uses dynamic sql however, depends on the complexity of the code.
From the examples given, I see no reason to use dynamic sql. There is no top clause, you do not need to dynamically determine a table name. If your production stored procedurees are setup like this, I would redesign them to take advantage of the sql engine.
December 16, 2005 at 7:09 am
I don't see any advantage to using dynamic store procedures. Also, it would be more difficult to tune and troubleshoot dynamic stored procedures if they constantly change. In addition, data validation should be done at the client side and not on the server side to save yourself a round trip.
December 16, 2005 at 7:28 am
I used a lot dynamic stored procedure.I had to, because they aren't really my first choice- I find it hard to read and to debug.
Anyway it was a good article.
Daniela
December 16, 2005 at 8:01 am
Heres a stored procedure I wrote sometime ago to generate get, add or update and delete stored procedures so you get the performance benefit of sps. As the naming convention is common you can generate class code etc. against them. I also use an sp to generate c# or vb class code to interface with the stored procedures. Doing data access in this way is very quick and tends to be bug free first time which is nice, possibly could be extended with your application to insert code specific to tables so that more table specific logic could be included. nb it also needs a stored procedure to retrieve records based on foreign keys.
Phil Nicholas
if exists(select * from sysobjects where name = 'sp_createStoredProcedures')
drop procedure sp_createStoredProcedures
GO
create procedure sp_createStoredProcedures(@tablename varchar(255), @Encryption bit = 1)
AS
BEGIN
DECLARE @sql varchar(8000)
-------------------------
--select sp
SET NOCOUNT ON
create table #temp(id int not null identity (1,1), txt varchar(8000))
insert #temp (txt)
select '--stored procedure to get an individual ' + @tablename + ' record' + @tablename
insert #temp (txt)
select 'if exists(select * from sysobjects where name = ''spGet_' + @tablename + ''')'
insert #temp (txt)
select 'drop procedure spGet_' + @tablename
insert #temp (txt)
select 'GO'
insert #temp (txt)
select 'create procedure spGet_' + @tablename
insert #temp (txt)
select char(9) + '@' + replace(c.name,' ', '_') + ' ' + t.name + ','
from sysindexes i
join sysobjects o on o.ID = i.id
join sysindexkeys ik on ik.indid = i.indid and ik.id = i.id
join syscolumns c on c.id = ik.id and ik.colid = c.colid
join systypes t on c.xtype = t.xtype
where o.name = @tablename AND (I.STATUS & 2048) = 2048
order by ik.keyno asc
if @@rowcount > 0
update #temp
set txt = substring(txt,1,len(txt)-1)
where [id] = @@identity
if @Encryption = 1
insert #temp (txt)
select 'WITH ENCRYPTION'
insert #temp (txt)
select 'AS'
insert #temp (txt)
select 'SELECT '
insert #temp (txt)
select char(9) + '[' + c.name + '],'
from sysobjects o join syscolumns c on o.id = c.id
where o.name = @tablename
order by colid asc
if @@rowcount > 0
update #temp
set txt = substring(txt,1,len(txt)-1)
where [id] = @@identity
insert #temp (txt)
select 'FROM '
insert #temp (txt)
select CHAR(9) + @tablename
insert #temp (txt)
select 'where '
insert #temp (txt)
select char(9) + '[' + c.name + '] = @' + replace(c.name,' ', '_') + ' and'
from sysindexes i
join sysobjects o on o.ID = i.id
join sysindexkeys ik on ik.indid = i.indid and ik.id = i.id
join syscolumns c on c.id = ik.id and ik.colid = c.colid
join systypes t on c.xtype = t.xtype
where o.name = @tablename AND (I.STATUS & 2048) = 2048
order by ik.keyno asc
if @@rowcount > 0
update #temp
set txt = substring(txt,1,len(txt)-4)
where [id] = @@identity
insert #temp (txt)
select 'GO'
insert #temp (txt) values ('')
-------------------------
--delete sp
insert #temp (txt)
select '--stored procedure to delete an individual ' + @tablename + ' record' + @tablename
insert #temp (txt)
select 'if exists(select * from sysobjects where name = ''spDelete_' + @tablename + ''')'
insert #temp (txt)
select 'drop procedure spDelete_' + @tablename
insert #temp (txt)
select 'GO'
insert #temp (txt)
select 'create procedure spDelete_' + @tablename
insert #temp (txt)
select char(9) + '@' + replace(c.name,' ', '_') + ' ' + t.name + ','
from sysindexes i
join sysobjects o on o.ID = i.id
join sysindexkeys ik on ik.indid = i.indid and ik.id = i.id
join syscolumns c on c.id = ik.id and ik.colid = c.colid
join systypes t on c.xtype = t.xtype
where o.name = @tablename AND (I.STATUS & 2048) = 2048
order by ik.keyno asc
if @@rowcount > 0
update #temp
set txt = substring(txt,1,len(txt)-1)
where [id] = @@identity
if @Encryption = 1
insert #temp (txt)
select 'WITH ENCRYPTION'
insert #temp (txt)
select 'AS'
insert #temp (txt)
select 'DELETE '
insert #temp (txt)
select 'FROM '
insert #temp (txt)
select CHAR(9) + @tablename
insert #temp (txt)
select 'WHERE '
insert #temp (txt)
select char(9) + '[' + c.name + '] = @' + replace(c.name,' ', '_') + ' AND'
from sysindexes i
join sysobjects o on o.ID = i.id
join sysindexkeys ik on ik.indid = i.indid and ik.id = i.id
join syscolumns c on c.id = ik.id and ik.colid = c.colid
join systypes t on c.xtype = t.xtype
where o.name = @tablename AND (I.STATUS & 2048) = 2048
order by ik.keyno asc
if @@rowcount > 0
update #temp
set txt = substring(txt,1,len(txt)-4)
where [id] = @@identity
insert #temp (txt)
select 'GO'
insert #temp (txt) values ('')
--sp_help tblpupil_key_indicators
-------------------------
--update/insert sp
insert #temp (txt)
select '--stored procedure to insert/add an individual ' + @tablename + ' record' + @tablename
insert #temp (txt)
select 'if exists(select * from sysobjects where name = ''spAddUpdate_' + @tablename + ''')'
insert #temp (txt)
select 'drop procedure spAddUpdate_' + @tablename
insert #temp (txt)
select 'GO'
insert #temp (txt)
select 'create procedure spAddUpdate_' + @tablename
insert #temp (txt)
select char(9) + '@' + replace(c.name,' ', '_') + ' ' + t.name +
case
when t.name in ('varchar', 'nvarchar', 'char', 'nchar') then ' (' + cast(c.length as varchar(20)) + ')'
when t.name in ('decimal') then ' (' + cast(c.prec as varchar(20)) + ',' + cast(c.scale as varchar(20)) + ')'
else '' end + ','
from
sysobjects o
join syscolumns c on c.id = o.id
join systypes t on c.xtype = t.xtype
where o.name = @tablename and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE'
order by c.colid asc
if @@rowcount > 0
update #temp
set txt = substring(txt,1,len(txt)-1)
where [id] = @@identity
if @Encryption = 1
insert #temp (txt)
select 'WITH ENCRYPTION'
insert #temp (txt)
select 'AS'
--empty sql string
set @sql = ''
--------do check for keys
--change to autoval key or primary key
if exists(select * from sysobjects o join syscolumns c on c.id = o.id where not autoval is null and o.name = @tablename)
select @sql = @sql + 'coalesce(@' + replace(c.name,' ', '_') + ',0) = 0 and '
from
sysobjects o
join syscolumns c on c.id = o.id
where not c.autoval is null and o.name = @tablename
else
select @sql = @sql + 'coalesce(@' + replace(c.name,' ', '_') + ',0) = 0 and '
from sysindexes i
join sysobjects o on o.ID = i.id
join sysindexkeys ik on ik.indid = i.indid and ik.id = i.id
join syscolumns c on c.id = ik.id and ik.colid = c.colid
join systypes t on c.xtype = t.xtype
where o.name = @tablename AND (I.STATUS & 2048) = 2048
order by ik.keyno asc
if @@rowcount > 0
begin
set @sql = 'IF ' + substring(@SQL,1,len(@SQL)-4)
insert #temp (txt)
select @sql
end
insert #temp (txt)
select 'BEGIN'
--empty sql string
set @sql = ''
--do insert col list
select @sql = @sql + '[' + c.name + '],'
from
sysobjects o
join syscolumns c on c.id = o.id
join systypes t on c.xtype = t.xtype
where o.name = @tablename and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE'
AND COALESCE(AUTOVAL,0)=0
order by c.colid asc
--insert param list
if @sql<>''
INSERT #TEMP
SELECT char(9) + 'INSERT ' + @TableName + '(' + substring(@SQL,1, len(@SQL)-1) + ')'
--empty sql string
set @sql = ''
--do insert col list
select @sql = @sql + '@' + replace(c.name,' ', '_') + ','
from
sysobjects o
join syscolumns c on c.id = o.id
join systypes t on c.xtype = t.xtype
where o.name = @TableName and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE' AND COALESCE(AUTOVAL,0)=0
order by c.colid asc
--insert param list
if @sql<>''
INSERT #TEMP (txt)
SELECT char(9) + 'VALUES (' + substring(@SQL,1, len(@SQL)-1) + ')'
if EXISTS( select * from sysobjects o join syscolumns c on c.id = o.id
where o.name = @tablename AND COALESCE(AUTOVAL,0)>=1)
insert #temp
select 'SELECT @@IDENTITY'
insert #temp (txt)
select 'END'
INSERT #TEMP (txt)
SELECT 'ELSE'
INSERT #TEMP (txt)
SELECT 'UPDATE ' + @tablename + ' SET '
INSERT #TEMP (txt)
select char(9) + '[' + c.name + '] = @' + replace(c.name,' ', '_') + ','
from
sysobjects o
join syscolumns c on c.id = o.id
where o.name = @TableName and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE'
and not exists (select * from sysindexes i join sysindexkeys ik on ik.id = i.id and ik.indid = i.indid where (i.status & 2048) = 2048 and ik.colid = c.colid and i.id = o.id)
and c.autoval is null
order by c.colid asc
--select * from sysindexkeys
if @@rowcount > 0
if @sql<>''
update #temp
set txt = substring(txt,1,len(txt)-1)
where [id] = @@identity
INSERT #TEMP (txt)
SELECT 'WHERE'
insert #temp (txt)
select char(9) + '[' + c.name + '] = coalesce(@' + replace(c.name,' ', '_') + ',0) and '
from sysindexes i
join sysobjects o on o.ID = i.id
join sysindexkeys ik on ik.indid = i.indid and ik.id = i.id
join syscolumns c on c.id = ik.id and ik.colid = c.colid
join systypes t on c.xtype = t.xtype
where o.name = @tablename AND (I.STATUS & 2048) = 2048
order by ik.keyno asc
if @@rowcount > 0
update #temp
set txt = substring(txt,1,len(txt)-4)
where [id] = @@identity
insert #temp (txt)
select 'GO'
insert #temp (txt) values ('')
select txt from #temp
order by id asc
drop table #temp
SET NOCOUNT OFF
END
GO
exec sp_createStoredProcedures 'sysobjects'
Phil Nicholas
December 16, 2005 at 8:14 am
Excuse my ignorance, but what are those CHAR(10) things doing? How does that work? Please explain.
December 16, 2005 at 8:23 am
Its just a formating thing - char(10) = newline , char(9) = tab, the article mentions using char(10)'s for formatting
Phil Nicholas
December 16, 2005 at 9:10 am
Is there any "simple" method how to protect (how to test) the dynamic SP against SQL injection ?
We stoped using dynamic SP because we was afraid of this problem.
Pavel Lstiburek
Viewing 15 posts - 1 through 15 (of 38 total)
You must be logged in to reply to this topic. Login to reply