SQL Apprentice Question
In SQL 2000. Suppose I have a stored procedure where @SQLWhere is
a varchar(100) parameter which contains the WHERE Clause which will be used
with a SELECT Clause(which is in the store procedure).
How can I put all of this together so that the whole query (SELECT+WHERE) will
work correctly?
Celko Answers
>> Suppose I have a stored procedure where @SQLWhere is a VARCHAR(100) parameter which contains the WHERE Clause which will be used with a SELECT Clause(which is in the store procedure). <<
Then, by definition, this string is not a parameter, is it? It is code
that you want to run using dynamic SQL. It is also a very, very bad
programming technique. What you are telling the world is that you have
no idea what this procedure should do, so you have to depend on any
random future user to do your job.
Do you remember coupling and cohesion from your freshman Software
Engineering course?
Did you look up "SQL injection" as a possible problem?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment