[dba-SQLServer] Dynamic SQL

Michael Maddison michael at ddisolutions.com.au
Fri Mar 28 19:42:31 CDT 2008


Hi John,

Dynamic SQL seems like the obvious solution in your circumstance.
If you are executing the strings from code then another option is to
build some generic global
sprocs on your server.

I would do something like...

USE MASTER
GO
CREATE PROCEDURE dbo.DeleteFrom (
	@DB nvarchar(100), 
	@table nvarchar(100)
)
AS
DECLARE @SQL [nvarchar](4000)

IF @DB <> N'' AND @table <> N''	
	BEGIN
	SET @SQL = 'DELETE FROM ' + @DB + '.' + LTRIM(RTRIM(@table))
	PRINT @SQL
	EXEC sp_executesql @SQL
	PRINT @@ROWCOUNT
	END 


And call it like 
EXEC  [master].[dbo].[DeleteFrom] 'databasename', 'dbo.tablename'

HTH

Michael M



I know that dynamic SQL is frowned upon for obvious reasons.  Please
phrase your responses understanding the following:

1) I work by myself, there are no other DB users.
2) My network is connected through a "consumer grade" router / firewall
to the internet.
3) I run Avs, software firewalls and the newer "zero day" malware
detectors such as Counterspy and Threatfire.
4) I have never (to my knowledge) been infected by any viruses, key
loggers, Trojans or other such malware.
5) There ARE other computers in the house that also connect to the
internet, specifically my wife's laptop and my son's laptop.  Both of
them run Avs and software firewalls.

I am trying to build SPs and such to perform functionality such as 

	Delete * from tblTemp
	Bulk Insert 'SomeDbName.SomeTblName' from 'SomeFilePath'

Obviously if I am going to use this to process files in my many
different databases then I will need a way to pass in SomeDbName,
SomeTblName, and SomeFileName.  ATM I am doing this by using dynamic
SQL, i.e. building up SQL strings and then Executing those strings.  It
all seems to be working.

I am SPECIFICALLY ASKING for "best practices" couched within the
situation that I work in.  I am not using a database that directly faces
the internet or is ever touched (to my knowledge) by any outsiders.
Even considering my situation, if the "better way" is actually
attainable (by ME, and you already know what THAT means) I will do
things the better way. 

1) Is there another way besides the dynamic SQL?
2) Is this "other way" generic, can it be applied to all of my
databases, or would I need to store the same SP in each db and use local
table names.  Or would I need to do something else entirely.

Please please do not respond with how to handle this for an internet
company taking orders from the internet or an IBM with 6 thousand direct
users of the database.  But please do let me know if or why I should
take the same precautions anyway and what those precautions would be IF
I really need to be doing more.  I am asking for all opinions, and yet I
am still asking you to consider my circumstances and offer your opinions
based around that.

Obviously I want to be as secure as I can be while accepting the fact
that it is just lonely me with no dedicated security guru.

Thanks,

John W. Colby
Colby Consulting
www.ColbyConsulting.com 

_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com





More information about the dba-SQLServer mailing list