tags:

views:

79

answers:

4
Q: 

SQL Prepared Statements for complex filtering

Ok, so I know you should use prepared statements to avoid injection attacks as well as for the huge speed improvements, but there is still one place that I find myself doing string manipulation to build my sql query.

Suppose I have a search feature that consists of six or seven or n dropdown lists. Based on whether there is a default value in each of those lists I want to append an item to my where clause. Is there a good way to do this with prepared statements where I can pass the parameters to a stored procedure and have it determine whether or not to include each particular where clause?

A: 

The server should optimize out queries such as where field like '%', so I would just prepare a statement with everything. This would probably also make your code a lot simpler.

Justin  2009-08-18 17:50:34
Unbearably simpler, I can't believe I didn't think of using like. Wouldn't that put a big hit on performance otherwise though? I was under the impression that like was a good bit slower than =.
Aaron  2009-08-18 17:53:10
Good intuition, but it's not a big deal. See: http://myitforum.com/cs2/blogs/jnelson/archive/2007/11/16/108354.aspx
Justin  2009-08-18 17:56:16
+2  A: 

No question like this would be complete without a link to this article. It goes over the use of Exec and sp_executesql, and discusses SQL Injection in depth, within the context of Dynamic SQL:

The Curse and Blessings of Dynamic SQL
http://www.sommarskog.se/dynamic_sql.html

Robert Harvey  2009-08-18 17:54:37
I believe your link is broken?
Aaron  2009-08-18 18:00:07
I just tried it, works OK for me. Are you blocked from using .se domains?
Robert Harvey  2009-08-18 18:06:11
+1 Because the answer is "it depends" and Erland took the time to show you how to figure that out.
Strommy  2009-08-18 18:13:39
bah, stupid local intranet use the .se tld - didn't notice that. Google cache has me covered though. Excellent read, thank you.
Aaron  2009-08-18 18:22:59
A: 

Your best bet is parameterised SQL with sp_ExecuteSQL ... something like:

CREATE PROCEDURE usp_SampleTest
    @val1 INT
    @val2 INT
AS
    DECLARE @sql NVARCHAR(500)

    SET @sql = N'SELECT col1, col2, col3 FROM dbo.table WHERE 1 = 1'

    IF @val1 IS NOT NULL
       SET @sql = @sql + ' AND col3 = @pVal1'

    IF @val2 IS NOT NULL
       SET @sql = @sql + ' AND col4 = @pCol4'

    EXEC sp_ExecuteSQL @sql, '@pVal1 INT, @pVal2 INT', @val1, @val2

SQL Server will then cache execution plans the minimum number of execution plans with maximum flexibility in your SQL. Using sp_ExecuteSQL in this way as well means that it's secure from SQL injection attacks as well.

Chris J  2009-08-18 17:54:44
A: 

Have look at my answer to SO question SQL Stored Procedure: Conditional Return ... I think you could use the same type of thing.

John MacIntyre  2009-08-18 18:04:30

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?