How to Build Dynamic Stored Procedures

  • Robert W Marda

    SSChampion

    Points: 13413

    Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/rmarda/howtobuilddynamicstoredprocedures.asp

    Robert W. Marda
    Billing and OSS Specialist - SQL Programmer
    MCL Systems

  • bumbler

    SSC Enthusiast

    Points: 138

    Just a quick note: when building dynamic SQL in a sproc, SQL Server will not usually cache the query plan unless you use one of the built-in stored procedures to execute the code. So, instead of simply writing this:

    exec (@strSQL)

    It is actually better over the long run to write this:

    exec sp_executeSQL @strSQL

    The one drawback here is that the sproc, sp_executeSQL, expects its parameter as nVarchar, so you will be limited to 4000 characters instead of 8000. See more than you need to know in BOL.

    Thanks,

    DH.

  • Robert W Marda

    SSChampion

    Points: 13413

    I don't think we currently use sp_executeSQL and I have used it only a few times. So I am not an expert with its use. We have many dynamic stored procedures in production that have more than 4,000 characters in the query built and some even exceed 8,000 characters. So being limited to 4,000 is not an option. I tried to use the same technique I showed in example 2 of my article but couldn't get it to work so it appears there is no way to extend the max beyond 4,000 characters, where as with the EXEC command I don't know of a limit to how many varchar(8000) variables you can add together at the time you execute the code and so your code is theoretically not limited.

    The trade off is that you lose benefit of most if not all caching done by SQL Server. For us this hasn't been a problem since most of what we have in production completes within a few seconds of execution with or without caching. It will depend on your individual situation if you can accept this type of performance or not.

    Robert W. Marda

    SQL Programmer

    bigdough.com

    The world’s leading capital markets contact database and software platform.

    Robert W. Marda
    Billing and OSS Specialist - SQL Programmer
    MCL Systems

  • Rajesh Patavardhan

    SSCrazy

    Points: 2801

    One more difference between EXEC and sp_executesql is that first one does not allow you to run parameterized queries.

    sp_executesql allows you to parameterize the sql and inturn helps in caching and re-use of execution plans.

    The issue related to dynamic sqls, parameterized sqls and memory is discussed in following link

    http://www.sqlservercentral.com/forum/link.asp?TOPIC_ID=11407

  • kevkaz

    SSC Veteran

    Points: 235

    Is there a significant performance benefit to building dynamic SQL in a stored procedure instead of from within code?

  • Robert W Marda

    SSChampion

    Points: 13413

    Unless you manage to get an execution plan that can be reused (and usually you don't) then you can say there is no performance benifit.

    For me, the benefit is that no changes have to be made to the web site or internal applications for most changes in the stored procedure. Particularly useful when I find a quicker way to get the same result set.

    You could realize a slight performance benifit because you would not have to send thousands of characters from the client to the server. With the dynamic SP you simply send the call and the code is built server side and then immediately executed.

    Robert W. Marda

    SQL Programmer

    bigdough.com

    The world’s leading capital markets contact database and software platform.

    Robert W. Marda
    Billing and OSS Specialist - SQL Programmer
    MCL Systems

  • mark hutchinson

    SSC Eights!

    Points: 878

    1. There is a redundant condition check in your example.  Once we start building the WHERE clause, we've already passed the first check, which would have prevented our getting down to the second check.

    IF @LastName <> '' AND @NameID <> 0
       ...
       RETURN
    END
    ...
    --Begin building WHERE clause
    IF @LastName <> '' OR @NameID <> 0
    ...

    2. As has already been mentioned, performance of a dynamic SP will be poorer than a static SP.  It would make more sense to generate the SP externally and then import them in a SQL stream, or to hook directly into SQL Server and do it programmatically.  There's been a lot of work done in the realm of code generation (heck, entire system generation) that could serve as a model for this.  As with most things, we trade performance for flexibilty and vice versa.

    3. It should be noted that SQLServer2005 removes the 8000 character limit.  This alone should be worth the migration.

    4. How does the following statement provide SQL injection attack protection?

    SET @LastName = REPLACE (@LastName, '''', '''''')

  • Oli Wilkinson

    SSC Enthusiast

    Points: 147

    As someone who's had to maintain code embedded with char(10)s everywhere I can honestly say that the advice in the first section of this article is absolute tripe. It does NOT make it easier to read, nor does it make it easier to maintain.

  • cliffb

    SSCarpal Tunnel

    Points: 4547

    When printing out the SQL statements, CHAR(10) does indeed make it easier to read. Maintenance on any sproc that uses dynamic sql however, depends on the complexity of the code.

    From the examples given, I see no reason to use dynamic sql. There is no top clause, you do not need to dynamically determine a table name. If your production stored procedurees are setup like this, I would redesign them to take advantage of the sql engine.

     

  • JL Dominguez-246595

    SSC Enthusiast

    Points: 135

    I don't see any advantage to using dynamic store procedures. Also, it would be more difficult to tune and troubleshoot dynamic stored procedures if they constantly change.  In addition, data validation should be done at the client side and not on the server side to save yourself a round trip.

  • Daniela-267581

    SSC Eights!

    Points: 979

    I used a lot dynamic stored procedure.I had to, because they aren't really my first choice- I find it hard to read and to debug.

    Anyway it was a good article.

     


    Daniela

  • Phil.Nicholas

    SSCrazy

    Points: 2067

    Heres a stored procedure I wrote sometime ago to generate get, add or update and delete stored procedures so you get the performance benefit of sps. As the naming convention is common you can generate class code etc. against them. I also use an sp to generate c# or vb class code to interface with the stored procedures. Doing data access in this way is very quick and tends to be bug free first time which is nice, possibly could be extended with your application to insert code specific to tables so that more table specific logic could be included. nb it also needs a stored procedure to retrieve records based on foreign keys.

    Phil Nicholas

     

    if exists(select * from sysobjects where name = 'sp_createStoredProcedures')

    drop procedure sp_createStoredProcedures

    GO

    create procedure sp_createStoredProcedures(@tablename varchar(255), @Encryption bit = 1)

    AS

    BEGIN

    DECLARE @SQL varchar(8000)

    -------------------------

    --select sp 

     SET NOCOUNT ON

     create table #temp(id int not null identity (1,1), txt varchar(8000))

     insert #temp (txt)

     select '--stored procedure to get an individual ' + @tablename + '  record' + @tablename

     insert #temp (txt)

     select 'if exists(select * from sysobjects where name = ''spGet_' + @tablename + ''')'

     insert #temp (txt)

     select 'drop procedure spGet_' + @tablename

     insert #temp (txt)

     select 'GO'

     insert #temp (txt)

     select 'create procedure spGet_' + @tablename

     insert #temp (txt)

     select char(9) + '@' + replace(c.name,' ', '_') + ' ' + t.name + ','

     from sysindexes i

     join sysobjects o on o.ID = i.id

     join sysindexkeys ik on ik.indid = i.indid  and ik.id = i.id

     join syscolumns c on c.id = ik.id  and ik.colid = c.colid

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename AND (I.STATUS & 2048) = 2048

     order by ik.keyno asc

     

     if @@rowcount > 0

      update #temp

      set txt = substring(txt,1,len(txt)-1)

      where [id] = @@identity

     if @Encryption = 1

      insert #temp (txt)

      select 'WITH ENCRYPTION'

     insert #temp (txt)

     select 'AS'

     insert #temp (txt)

     select 'SELECT '

     insert #temp (txt)

     select char(9) + '[' + c.name + '],'

     from sysobjects o join syscolumns c on o.id = c.id

     where  o.name = @tablename

     order by colid asc

     if @@rowcount > 0

      update #temp

      set txt = substring(txt,1,len(txt)-1)

      where [id] = @@identity

     insert #temp (txt)

     select 'FROM '

     insert #temp (txt)

     select CHAR(9) + @tablename

     insert #temp  (txt)

     select 'where '

     insert #temp (txt)

     select char(9) + '[' + c.name + '] = @' + replace(c.name,' ', '_') + ' and'

     from sysindexes i

     join sysobjects o on o.ID = i.id

     join sysindexkeys ik on ik.indid = i.indid  and ik.id = i.id

     join syscolumns c on c.id = ik.id  and ik.colid = c.colid

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename AND (I.STATUS & 2048) = 2048

     order by ik.keyno asc

     if @@rowcount > 0

      update #temp

      set txt = substring(txt,1,len(txt)-4)

      where [id] = @@identity

     insert #temp (txt)

     select 'GO'

     insert #temp (txt) values ('')

    -------------------------

    --delete sp 

     insert #temp (txt)

     select '--stored procedure to delete an individual ' + @tablename + '  record' + @tablename

     insert #temp (txt)

     select 'if exists(select * from sysobjects where name = ''spDelete_' + @tablename + ''')'

     insert #temp (txt)

     select 'drop procedure spDelete_' + @tablename

     insert #temp (txt)

     select 'GO'

     insert #temp (txt)

     select 'create procedure spDelete_' + @tablename

     insert #temp (txt)

     select char(9) + '@' + replace(c.name,' ', '_') + ' ' + t.name + ','

     from sysindexes i

     join sysobjects o on o.ID = i.id

     join sysindexkeys ik on ik.indid = i.indid  and ik.id = i.id

     join syscolumns c on c.id = ik.id  and ik.colid = c.colid

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename AND (I.STATUS & 2048) = 2048

     order by ik.keyno asc

     if @@rowcount > 0

      update #temp

      set txt = substring(txt,1,len(txt)-1)

      where [id] = @@identity

     if @Encryption = 1

      insert #temp (txt)

      select 'WITH ENCRYPTION'

     insert #temp (txt)

     select 'AS'

     insert #temp (txt)

     select 'DELETE '

     insert #temp (txt)

     select 'FROM '

     insert #temp (txt)

     select CHAR(9) + @tablename

     insert #temp  (txt)

     select 'WHERE '

     insert #temp (txt)

     select char(9) + '[' + c.name + '] = @' + replace(c.name,' ', '_') + ' AND'

     from sysindexes i

     join sysobjects o on o.ID = i.id

     join sysindexkeys ik on ik.indid = i.indid  and ik.id = i.id

     join syscolumns c on c.id = ik.id  and ik.colid = c.colid

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename AND (I.STATUS & 2048) = 2048

     order by ik.keyno asc

     if @@rowcount > 0

      update #temp

      set txt = substring(txt,1,len(txt)-4)

      where [id] = @@identity

     insert #temp (txt)

     select 'GO'

     insert #temp (txt) values ('')

    --sp_help tblpupil_key_indicators

    -------------------------

    --update/insert sp 

     insert #temp (txt)

     select '--stored procedure to insert/add an individual ' + @tablename + '  record' + @tablename

     insert #temp (txt)

     select 'if exists(select * from sysobjects where name = ''spAddUpdate_' + @tablename + ''')'

     insert #temp (txt)

     select 'drop procedure spAddUpdate_' + @tablename

     insert #temp (txt)

     select 'GO'

     insert #temp (txt)

     select 'create procedure spAddUpdate_' + @tablename

     insert #temp (txt)

     select char(9) + '@' + replace(c.name,' ', '_') + ' ' + t.name +

      case 

       when t.name in ('varchar', 'nvarchar', 'char', 'nchar') then ' (' + cast(c.length as varchar(20)) + ')'

       when t.name in ('decimal') then  ' (' + cast(c.prec as varchar(20)) + ','  + cast(c.scale as varchar(20)) + ')'

       else '' end + ','

     from

     sysobjects o

     join syscolumns c on c.id = o.id

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE'

     order by c.colid asc

     if @@rowcount > 0

      update #temp

      set txt = substring(txt,1,len(txt)-1)

      where [id] = @@identity

     if @Encryption = 1

      insert #temp (txt)

      select 'WITH ENCRYPTION'

     insert #temp (txt)

     select 'AS'

     --empty sql string

     set @SQL = ''

    --------do check for keys

    --change to autoval key or primary key

    if exists(select * from sysobjects o join syscolumns c on c.id = o.id where not autoval is null and o.name = @tablename)

     select @SQL = @SQL + 'coalesce(@' + replace(c.name,' ', '_') + ',0) = 0 and '

     from

     sysobjects o

     join syscolumns c on c.id = o.id

     where not c.autoval is null and o.name = @tablename

    else

     select @SQL = @SQL + 'coalesce(@' + replace(c.name,' ', '_') + ',0) = 0 and '

     from sysindexes i

     join sysobjects o on o.ID = i.id

     join sysindexkeys ik on ik.indid = i.indid  and ik.id = i.id

     join syscolumns c on c.id = ik.id  and ik.colid = c.colid

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename AND (I.STATUS & 2048) = 2048

     order by ik.keyno asc

     if @@rowcount > 0

     begin

      set @SQL = 'IF ' + substring(@SQL,1,len(@SQL)-4)

      insert #temp (txt)

      select @SQL

     end

     insert #temp (txt)

     select 'BEGIN'

     --empty sql string

     set @SQL = ''

     --do insert col list

     select @SQL = @SQL + '[' + c.name + '],'

     from

     sysobjects o

     join syscolumns c on c.id = o.id

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE'

     AND COALESCE(AUTOVAL,0)=0

     order by c.colid asc

     --insert param list

     if @SQL<>''

     INSERT #TEMP

     SELECT char(9) + 'INSERT ' + @TableName + '(' + substring(@SQL,1, len(@SQL)-1) + ')'

     --empty sql string

     set @SQL = ''

     --do insert col list

     select @SQL = @SQL + '@' + replace(c.name,' ', '_') + ','

     from

     sysobjects o

     join syscolumns c on c.id = o.id

     join systypes t on c.xtype = t.xtype

     where o.name = @TableName and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE' AND COALESCE(AUTOVAL,0)=0

     order by c.colid asc

     --insert param list

     if @SQL<>''

     INSERT #TEMP (txt)

     SELECT char(9) + 'VALUES (' + substring(@SQL,1, len(@SQL)-1) + ')'

     if EXISTS( select * from  sysobjects o join syscolumns c on c.id = o.id

      where o.name = @tablename AND COALESCE(AUTOVAL,0)>=1)

     insert #temp

     select 'SELECT @@IDENTITY'

     

     insert #temp (txt)

     select 'END'

     INSERT #TEMP (txt)

     SELECT 'ELSE'

     

     INSERT #TEMP (txt)

     SELECT 'UPDATE ' + @tablename + ' SET '

     

     INSERT #TEMP (txt)

     select char(9) + '[' + c.name + '] = @' + replace(c.name,' ', '_') + ','

     from

     sysobjects o

     join syscolumns c on c.id = o.id

     where o.name = @TableName and NOT c.name LIKE '%_MOD_USER' and NOT c.name like '%_MOD_DATE'

     and not exists (select * from sysindexes i join sysindexkeys ik on ik.id = i.id  and ik.indid = i.indid where  (i.status & 2048) = 2048 and ik.colid = c.colid and i.id = o.id)

     and c.autoval is null

     order by c.colid asc

    --select * from sysindexkeys

     if @@rowcount > 0

      if @SQL<>''

       update #temp

       set txt = substring(txt,1,len(txt)-1)

       where [id] = @@identity

     INSERT #TEMP (txt)

     SELECT 'WHERE'

     insert #temp (txt)

     select  char(9) + '[' + c.name + '] = coalesce(@' + replace(c.name,' ', '_') + ',0) and '

     from sysindexes i

     join sysobjects o on o.ID = i.id

     join sysindexkeys ik on ik.indid = i.indid  and ik.id = i.id

     join syscolumns c on c.id = ik.id  and ik.colid = c.colid

     join systypes t on c.xtype = t.xtype

     where o.name = @tablename AND (I.STATUS & 2048) = 2048

     order by ik.keyno asc

     if @@rowcount > 0

      update #temp

      set txt = substring(txt,1,len(txt)-4)

      where [id] = @@identity

     insert #temp (txt)

     select 'GO'

     

     

     insert #temp (txt) values ('')

     select txt from #temp

     order by id asc

     drop table #temp

     SET NOCOUNT OFF

    END

    GO

    exec sp_createStoredProcedures 'sysobjects'

     


    Phil Nicholas

  • Scott D. Smith

    SSC Veteran

    Points: 278

    Excuse my ignorance, but what are those CHAR(10) things doing? How does that work? Please explain.

  • Phil.Nicholas

    SSCrazy

    Points: 2067

    Its just a formating thing - char(10) = newline , char(9) = tab, the article mentions using char(10)'s for formatting 


    Phil Nicholas

  • Pavel Lstiburek

    Valued Member

    Points: 63

    Is there any "simple" method how to protect (how to test) the dynamic SP against SQL injection ?

    We stoped using dynamic SP because we was afraid of this problem.

    Pavel Lstiburek

Viewing 15 posts - 1 through 15 (of 39 total)

You must be logged in to reply to this topic. Login to reply