Michael Maddison
michael at ddisolutions.com.au
Tue Dec 20 17:15:49 CST 2005
Marty, I can guard against SQL Injection. In my instance the db is a reporting tool which has very little data that cannot be recreated (given a worst case scenario). How would you write a sproc that has 80 variable combo's of Select columns and approx 50 variable Where parts? cheers Michael M SQL injection is the problem. Michael Maddison wrote: >Hi Jürgen, > >When faced with the same problem I went dynamic. Every other option >just as you say looks ugly. >I never found a good alternative, no one has offered one this time either. >It seems to me that in situations like this the 'developers' go with >dynamic SQL, the dba's moan ;-) > >cheers > >Michael M > > > >Michael: > >With variable joins, do you point somthing like a list source of search 'hits' to different queries, one query for each join, or how do you handle variable combinations of joins? Lets say there is 1 table that may be joined to 0 to 5 other tables in various combinations, being 32 possible querydefs. I've always constructed the SQL in code and was very satisfied with the performance. Add another table and you're up to 64 querydefs. >That's ugly. > > > >Ciao >Jürgen Welz >Edmonton, Alberta >jwelz at hotmail.com > > > > > > > >>From: "Michael Maddison" <michael at ddisolutions.com.au> >> >> Hi Jürgen, >> >>If you go with variable parameters check out the 'With Recompile' option. >>It forces a new execution plan each time the procedure is run and >>overcomes SQL's 'parameter sniffing' problem. >> >>cheers >> >>Michael Maddison >> >>DDI Solutions Pty Ltd >>michael at ddisolutions.com.au >>Bus: 0260400620 >>Mob: 0412620497 >>www.ddisolutions.com.au >> >> > > > > -- Marty Connelly Victoria, B.C. Canada -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com