ansaurus

Question

Answer 1

+2 A:

Isn't this equivalent to the following, without any dynamic behavior in it?

SELECT *
FROM MyTable m
WHERE
   (@Param1 IS NULL OR m.Col1 = @Param1)
AND
   (@Param2 IS NULL OR m.Col2 = @Param2)

Or is there a possibility that the columns themselves might be missing?

Victor Nicollet 2010-09-15 16:49:58

Logically to a dynamically constructed query, but [not sargable](http://en.wikipedia.org/wiki/Sargable)

OMG Ponies 2010-09-15 17:20:47

See here why that is bad for performance http://blogs.lessthandot.com/index.php/DataMgmt/DBProgramming/do-you-use-column-param-or-param-is-null

SQLMenace 2010-09-15 17:22:37

Would this be better for performance or does it lead to the same execution plan? m.Col1 = coalesce(@Param1, m.Col1)

Bill 2010-09-15 18:11:58

@OMG Ponies and @SQLMenace - thanks for the tips! I would have given the same advice as Victor here because a DBA once told me it would perform better than dynamic SQL. That blog entry was great. Time to run some more performance tests and see where I'm not using indexes!

sql_mommy 2010-09-15 18:56:30

@Bill: See SQLMenace's link; what you provided is no different from Victor's answer, just syntactic sugar.

OMG Ponies 2010-09-15 19:05:22

I *think* that with OPTION(RECOMPILE) in SQL Server 2k8 SPx, this will actually perform well

erikkallen 2010-09-17 14:02:53

@erikkallen: No, that would mean the execution plan is never cached. That's besides the non-sargable query...

OMG Ponies 2010-09-17 15:29:42

@Ponies: No, but have you ever seen any case where query compilation actually takes noticable time? I haven't, and I commonly use quite large queries. Sure, if you join 20 tables with 50 conditions, maybe.

erikkallen 2010-09-18 14:15:17

Answer 2

+2 A:

Assuming SQL Server 2005+ syntax because the database wasn't specified... Highly recommended reading before addressing the query: The curse and blessings of dynamic SQL

DECLARE @SQL NVARCHAR(4000)
    SET @SQL = N'SELECT m.*
                   FROM MyTable m
                  WHERE 1 = 1 '

    SET @SQL = @SQL + CASE 
                        WHEN @param1 IS NOT NULL THEN ' AND m.col1 = @param1 '
                        ELSE ' '
                      END   

    SET @SQL = @SQL + CASE 
                        WHEN @param2 IS NOT NULL THEN ' AND m.col2 = @param2 '
                        ELSE ' '
                      END

BEGIN

  EXEC sp_executesql @SQL,
                     N'@param1 [replace w/ data type], @param2 [replace w/ data type]'
                     @param1, @param2

END

OMG Ponies 2010-09-15 17:25:09

That should run just fine on SQL 2000 also, I don't see anything in your code that uses 2005+ syntax..however SET @SQL = needs to be SET @SQL = @SQL + or 2008+ syntax SET @SQL +=.....

SQLMenace 2010-09-15 17:28:09

sp_executesql was already there in version 7

SQLMenace 2010-09-15 17:31:24

Answer 3

A:

You may be forced to use dynamic sql whether you're using a stored proc or not. Before you implement this stored proc, think about a few things.

Are the parameters themselves dynamic? Would you use 2 parameters one call, 10 the next? If this is the case you will need to create a ton of "placeholder" stored proc parameters that may not be used every call. What if you define 10 placeholder parameters but then need 11? This is not clean. Maybe you could use some sort of array parameter....
If parameters are dynamic, you will be forced to use dynamic SQL within your proc. This opens you up to injection attacks. You will have to manually escape all input within your stored proc. Using dymamaic sql in a proc defeats one of the main reasons for using procs.

If parameters are truly dynamic, I may actually favor generating sql from the code rather than the stored proc. Why? If you generate from the code you can use the ADO library to escape the input.

Just make sure you do something like....

sql = "select * from table where colA=@colA"; //dyanmically generated SQlCommand.Parameters.add("@colA", valueA);

And not....

sql = "select * from table where colA=" + valueA; //dyanmically generated the wrong way

Mike 2010-09-15 17:26:41

Answer 4

A:

Also a 3rd thing to think about. What if the data type of the parameters is dynamic? Stored procs start to fall apart because they are a defined interface. If your operations do not conform to a interface, trying to squish them into a pre-set interface is going to be ugly.

If you're making some sort of open-ended graphical query tool, this situation will pop-up. Most of the time your data access will conform to an interface, but when it doesn't..... stored procs may not be the way to go.

Mike 2010-09-16 14:11:04

ansaurus

tags:

views:

answers:

SQL: Building where clause

related questions