SQL Server Universe.com - Problem when creating SQL Query Dynamically

The sum of all SQL Server matter that exist,
and the space in which all SQL Server events
occur or could occur.

Welcome to SQL Server Universe.com Sign in | Join | Help

Home

SS SLUG

SQL Server Universe.com » SQL Server Components » T-SQL » Re: Problem when creating SQL Query Dynamically

Problem when creating SQL Query Dynamically

Last post 03-14-2008, 10:34 by Gogula G. Aryalingam. 2 replies.


	Sort Posts: Previous

Problem when creating SQL Query Dynamically
03-13-2008, 12:16

	manjuke
	Joined on 03-13-2008 Posts 5 Points 0 Reply Quote

Hi,

I am writing a Stored Procedure which will create a Dynamic SQL query and execute at the end. And I am passing a parameter to the procedure, which will be used to select records in the where clasue. This works perfectly when only one value is passed. But I want to pass several values. How can I do that.

Eg:

The Query should be:

select * from <tablename> where <fieldname> in (@Param)

What I did was:

declare @Query as nvarchar(512)

set @Query = 'select * from <tablename> where <fieldname> in (@Param)'

exec sp_executesql @Query, N'@Param nvarchar(50)', @spParam

**@spParam will be passed to the Procedur. And the actual query should be:

select * from <tablename> where <fieldname> in ('100','101','103')

How can I do this

Thanks In Advance

Post Points: 0
Report abuse

Re: Problem when creating SQL Query Dynamically
03-13-2008, 17:29

	G.R.Preethiviraj Kulasingham
	Joined on 04-02-2007 Colombo Posts 28 Points 0 Reply Quote

Hi Manjuke,

Try to construct the string dynamically and execute it. SQL Server will expect a single value for @Param.

declare @Query as nvarchar(512), @spParam nvarchar(100)

Set @spParam='''s'',''t'''

set @Query = 'select * from sys.objects where type in ('+@spParam +')'

exec sp_executesql @Query

Having said this, i need to tell that dynamic sql is ugly. It has a potential security threat through sql injection and can cause performance issues ona busy server.

G.R.Preethiviraj Kulasingham MCITP: DBA
http://preethiviraj.blogspot.com/
Plan Your Work and Work Your Plan!

Post Points: 0
Report abuse

Re: Problem when creating SQL Query Dynamically
03-14-2008, 10:34

	Gogula G. Aryalingam
	Joined on 11-22-2006 Colombo, Sri Lanka Posts 230 Points 0 Reply Quote

Hi, I have to agree with Preethi about dynamic SQL.

Manjuke, you could try something like this if you need to avoid the dynamic SQL bit in your example:

Use a user-defined table-valued function that would break the string at the commas and return a table containing a single column of the values specified in @spParam This user defined function can be either a SQL function or a CLR function.

DECLARE @spParam nvarchar(50)
SET @spParam = '12,43,445'

SELECT * FROM <tablename> WHERE <fieldname> IN (SELECT * FROM fnX(@spParam))

Note: fnX is the function mention above.

Alternatively, you could embed the code to break the string at the commas within your stored procedure itself, like this:

DECLARE @spParam nvarchar(50)
SET @spParam = '123,5,43,445'

-- Declare a table variable to hold the IDs that are split from the parameter string
DECLARE @ParamTable TABLE
(
[ParamValue] int
)

-- Split the parameter string, and populate the table variable with the IDs
WHILE (CHARINDEX(',', @spParam) > 0)
BEGIN

INSERT INTO @ParamTable
SELECT LEFT(@spParam, CHARINDEX(',', @spParam) -1)

SET @spParam = RIGHT(@spParam, LEN(@spParam) - CHARINDEX(',', @spParam))