tags:

views:

593

answers:

5
Q: 

Alternative to executing dynamic sql

I currently have a 'Filter' object which corresponds to a business object. This object has properties that relate to the different ways that I want to be able to filter/search a list of such business objects. Currently these Filter objects have a method that builds the contents of a where-clause that is then passed to a SQL Server 2000 stored procedure where it is concatendated with the rest of the select query. The final string is then executed using Exec.

Currently this works fine except I worry about the performance issue with the lack of execution plan caching. In some research I have seen the use of calling sp_executesql; is this a better solution or are there better conventions for what I am doing?

Update: I think part of the issue with using sp_executesql is that based on a collection in my filter I need to generate a list of OR statements. I am not sure that the 'parameterized' query would be my solution.

example

    var whereClause = new StringBuilder();
    if (Status.Count > 0)
    {
       whereClause.Append("(");
       foreach (OrderStatus item in Status)
       {
          whereClause.AppendFormat("Orders.Status = {0} OR ", (int)item);
       }          

       whereClause.Remove(whereClause.Length - 4, 3);
       whereClause.Append(") AND ");
    }
A: 

Modern RDBMS'es (can't really say whether to consider SQL Server 2000 a "modern" one) are optimized for ad-hoc queries, so there's a negligible performance hit (if any). What's bothering me is that you're using sproc to construct dynamic SQL: this is a huge debugging/support PITA.

Anton Gogolev  2009-06-18 13:56:25
that is not true since an ad hoc query will get a different plan every single time while when you use sp_executesql with parameters you get plan reuse and the procedure cache doesn't get bloated either. You won't get conversions either...if you have nvarchar columns and execute where Col = 'bla' you get a conversion because 'bla' is varchar
SQLMenace  2009-06-18 13:59:14
I agree with you in regards to the debugging issue however the main select query string is a fairly simple select of columns and the dynamic section is passed from an object whose responsibility is to sanitize the data and construct the sql. Therefore for most debugging issues I have one place to look which is in the Filter object.
jwarzech  2009-06-18 14:02:54
I think Anton meant to say parameterized ad-hoc queries which definitely do get cached and have performance similar to stored procs.
Wyatt Barnett  2009-06-18 14:11:02
@Wyatt Sure, parameterized only: that's kinda default nowadays, isn't it?
Anton Gogolev  2009-06-18 14:13:29
Having a Sproc construct dynamic SQL (safely, which *is* possible) is highly preferable to having client code do the same thing, which all non-RPC requests basically are.
RBarryYoung  2009-06-18 16:18:55
+1  A: 

You should be using sp_executesql, simply because, as you say, the query plan is stored and future executions will be optimized. It also generally seems to handle dynamic sql better than execute.

GregD  2009-06-18 13:56:26
+3  A: 

sp_executesql is better than exec because of plan reuse, and you can use parameters which help against sql injection. sp_executesql also won't cause procedure cache bloat if used correctly

take a look at these two articles

Avoid Conversions In Execution Plans By Using sp_executesql Instead of Exec

Changing exec to sp_executesql doesn't provide any benefit if you are not using parameters correctly

SQLMenace  2009-06-18 13:56:49
+3  A: 

Yes, sp_executesql will "cache" the execution plan of the query it executes.

Alternatively, instead of passing part of the query to the stored procedure, building the full query there, and executing dynamic SQL, you could build entire query on .NET side and execute it using ADO.NET command object. All queries executed through ADO.NET are getting "cached" by default.

zvolkov  2009-06-18 14:00:24
only will cache it is is used properly, some developers change exec to sp_executesql and don't use params inside sp_executesql and that won't help..see here http://blogs.lessthandot.com/index.php/DataMgmt/DataDesign/changing-exec-to-sp_executesql-doesn-t-p
SQLMenace  2009-06-18 14:02:24
+1: support building SQL statement completely out of SQL Server. better tracing/logging, better debugging, much better readability of the code.
van  2009-06-18 14:03:25
A: 

sp_executesql is the better option. Have you considered not using a stored procedure for this or at least taking out some of the dynamics? I think it would be much safer from any kind of injection. I write filters much like you are talking about but i try to take care of the input in my code as opposed to in a stored procedure. I really like dynamic sql but maybe it's safer to go the extra mile sometimes.

Eric  2009-06-18 14:03:21
I would really like to use an linq-sql :0) - sadly not an option right now with this application.
jwarzech  2009-06-18 14:06:03
if you don't mind my asking...why is it not an option?
Eric  2009-06-18 14:08:50

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?