tags:

views:

33

answers:

5
Q: 

SQL 2005 - Search String

I want to write a stored procedure that will accept a parameter of @searchString. This will be a varchar(100) and will contain a query value. How can I write the sp so that it could do something like:

SELECT *
FROM Application a
INNER JOIN Applicant app ON app.ApplicationId = a.ApplicationId
WHERE a.ApplicationId = @searchString
OR app.Name like '@searchString%'
OR app.PostCode like '@searchString%'

The problem for me is how to handle the fact that the searchString may contain an Id which will be an int or could be a string value.

A: 

You could put the select together as a string with proper quoting, and then use sp_executesql to run it.

But be aware that there is potential for SQL injection with this!

Frank  2010-08-27 08:55:15
A:  
You can check that searchString has only numbers by using PATINDEX and then only compare with applicationId

SELECT *
FROM Application a
INNER JOIN Applicant app ON app.ApplicationId = a.ApplicationId
WHERE (PATINDEX('%[^0-9]%', @searchString) = 0 AND a.ApplicationId = @searchString)
OR app.Name like @searchString + '%'
OR app.PostCode like '@searchString + '%'
Michael Pakhantsov  2010-08-27 09:04:19
The problem with this is that the AND after PATINDEX is not conditional so causes a conversion error
David Ward  2010-08-27 09:30:45
A: 

I solved this by creating another local variable and if the searchString was numeric, convert it and if not then set to zero (an id I know won't exist). 

declare @id int
if ISNUMERIC(@searchString) = 1
    set @id = CONVERT(int, @searchString)
else
    set @id = 0

Then where clause looks like:

WHERE
    a.ApplicationId = @id
    OR app.Surname like @searchString + '%'
    OR app.Forenames like '%' + @searchString + '%'
David Ward  2010-08-27 09:28:57
A: 

What about passing the stored proc an XML input parameter? That way when you "unpack" the XML you'd be able to control the data types and handle IDs or text as appropriate.

Darth Continent  2010-08-27 18:11:56
A:  
SELECT *
FROM Application a
INNER JOIN Applicant app ON app.ApplicationId = a.ApplicationId
WHERE a.ApplicationId = 
  case when ISNUMERIC(@searchString)
  then
    CONVERT(int, @searchString)
  else
    0
  end
OR app.Name like @searchString + '%'
OR app.PostCode like @searchString + '%'
bbadour  2010-08-31 03:07:27

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP