tags:

views:

1099

answers:

3
+2  Q: 

SQL Server: Dynamic where-clause

Problem:

Ajax suggest-search on [n] ingredients in recipes. That is: match recipes against multiple ingredients.

For instance: SELECT Recipes using "flower", "salt" would produce: "Pizza", "Bread", "Saltwater" and so forth.

Tables:

Ingredients [
    IngredientsID INT [PK],
    IngredientsName VARCHAR
]

Recipes [
    RecipesID INT [PK],
    RecipesName VARCHAR
]

IngredientsRecipes [
    IngredientsRecipesID INT [PK],
    IngredientsID INT,
    RecipesID INT
]

Query:

SELECT
    Recipes.RecipesID,
    Recipes.RecipesName,
    Ingredients.IngredientsID,
    Ingredients.IngredientsName
FROM
    IngredientsRecipes

    INNER JOIN Ingredients
    ON IngredientsRecipes.IngredientsID = Ingredients.IngredientsID

    INNER JOIN Recipes
    ON IngredientsRecipes.RecipesID = Recipes.RecipesID
WHERE
    Ingredients.IngredientsName IN ('salt', 'water', 'flower')

I am currently constructing my query using ASP.NET C# because of the dynamic nature of the WHERE clause.

I bites that I have to construct the query in my code-layer instead of using a stored procedure/pure SQL, which in theory should be much faster.

Have you guys got any thoughts on how I would move all of the logic from my code-layer to pure SQL, or at least how I can optimize the performance of what I'm doing?

I am thinking along the lines of temporary tables:

Step one: SELECT IngredientsID FROM Ingredients and INSERT INTO temp-table

Step two: SELECT RecipesName FROM Recipes joined with IngredientsRecipes joined with temp-table.IngredientsID

+2  A: 

Depending on how you are processing the input ingredients I think this current method has some sql injection risks.

You could append the ingrediant name to the join conditions which may be quicker.

You could also hash combinations of ingredients for receipes for a quick lookup.

alexmac  2008-09-27 22:05:25
I agree. Script injection issues is also one of my concerns. Could you elaborate on "hasing"?
roosteronacid  2008-09-27 22:15:47
If you have the user choose from a list of possible ingredients, the one's in your ingredients table, you could programmaticly use those ids, in your where statement and no injection issue.
Brettski  2008-09-27 22:20:44
E.g. If you process an MD5 or SHA1 hash by appending the words salt water flour you will get one value (your hash). In your lookup you could then just look for this an item matching this. As you are comparing one value rather than a list it would be quicker.
alexmac  2008-09-27 22:27:17
Clever, Alexmac :)
roosteronacid  2008-09-27 22:33:14
That would only give him an exact match. the logic of the sample query implies he wants recipes that contain any of the ingredients.Now that you mention it though one trick would be to use a bitmask for your values.
Mike Brown  2008-09-29 12:17:33
+6  A: 

You have two options. If you're using SQL Server 2008 (or Oracle) you can pass in a table value parameter.

If you're using SQL Server 2005, you can use XML to simulate this capability

If you're using something earlier than 2005, you need to concatenate the ids in a single string and create a UDF to parse them.

Mike Brown  2008-09-27 22:14:03
Awesome news, Mike. Thanks a bunch! :)
roosteronacid  2008-09-27 22:28:45
+2  A: 

You could at least parametrize the where clausule to avoid SQL injection, something alike:

    using System.Data;
using System.Data.SqlClient;
using System.Text;

class Foo
{
    public static void Main ()
    {
     string[] parameters = {"salt", "water", "flower"};
     SqlConnection connection = new SqlConnection ();
     SqlCommand command = connection.CreateCommand ();
     StringBuilder where = new StringBuilder ();
     for (int i = 0; i < parametes.Length; i++)
     {
      if (i != 0)
       where.Append (",");
      where.AppendFormat ("@Param{0}", i);
      command.Parameters.Add (new SqlParameter ("Param" + i, parameters [i]));
     }
    }
}
AlbertEin  2008-09-27 22:26:07
Yes. I was taking care of potential injections. Mike Brown came up with a stroke of genius. But thanks for your effort mate.
roosteronacid  2008-09-27 22:30:40

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?