Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.

Published byGregory Park Modified over 8 years ago

Similar presentations

Presentation on theme: "Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER."— Presentation transcript:

1 Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER

2 What is Dynamic SQL? Build up a TSQL statement as a character string. Can incorporate unknowns into the SQL statement: variables, parameters, and table data. Statements can be simple and executed all at once, or built up over the course of a stored proc, in order to handle more complex logic. String manipulation functions can be used to facilitate creating the command string. Quick SQL Example: Dynamic SQL basics.

3 Advantages of Dynamic SQL Optional or custom searches. Dynamic WHERE, GROUP BY, HAVING, TOP X, ORDER BY, windowing functions, etc… Can greatly speed up complex queries where, at any given time, only a small amount of the SQL is needed. Generate large or complex SQL statements quickly and/or automatically. Execute TSQL on other databases or servers.

4 Dynamic SQL’s Weaknesses Character strings with apostrophes MUST always be managed correctly (SQL injection) Dynamic SQL can become very complex, difficult to read, hard to maintain and to debug. Permissions are different than with standard SQL. Unexpected results from unexpected input. Dynamic SQL (within quotes) always compiles successfully, but could error on execution. Cannot use dynamic SQL in functions.

5 Basic Tips for Writing Better Dynamic SQL Document thoroughly!!! Debugging: Use PRINT statements liberally to preview SQL text Test thoroughly all use cases, especially “dumb” input For complex procs, consider a @debug parameter Write dynamic SQL text just like you would regular SQL, with similar spacing and indenting. Always check spacing! NVARCHAR vs. VARCHAR (use the right one!) SQL Example: Good dynamic SQL Style

6 Scope Each dynamic SQL statement occurs in its own local scope! Variables & objects declared in your dynamic SQL statement will not be available elsewhere in your stored proc, or in other dynamic SQL statements. # temp tables will be unavailable outside of a dynamic SQL statement. ## temp tables can be created in dynamic SQL & used anywhere (beware security/dupes/misuse)

7 Efficiently Generating Lists Dynamic SQL can be used to quickly build lists--- either from variable inputs, or from columns of data in target tables. SQL Example: Efficiently Generating Lists From Table Data

8 sp_executesql System procedure that allows SQL text to be efficiently executed. Must use NVARCHAR for command string. Parameters can be passed in. Output parameters can be specified so that data can be retrieved from the dynamic SQL. Allows for execution plan reuse (if desired). SQL Example: sp_executesql

9 Parameter Sniffing Using sp_executesql will allow for plan reuse and force parameter sniffing. Using EXECUTE/EXEC will cause the statement to be executed completely dynamically. Queries are cached based on their EXACT text. A stored proc or sp_executesql allows their contents to be cached, with the parameters handled separately. Parameter sniffing is generally a good feature. It is how SQL Server reuses execution plans. In some scenarios, we may want to change this, but this will typically be rare.

10 Parameter Sniffing: SQL Example

11 SQL Injection SQL Example: SQL Injection Converting quotes into double-quotes is a common solution, but not necessarily good enough! Ensure security is limited enough to not allow purposeful (or accidental) access. This counts for user SQL accounts, but also for web logins or process accounts. Use sp_executesql for all searches w/ user input. Never expose error messages to the end user! Use QUOTENAME() for database objects. Use dbo (or schema name) with all object names.

12 Permissions & Security Dynamic SQL does not benefit from ownership chaining! Ensure the user running dynamic SQL has the correct permissions. EXEC(@SQL) AS USER = ‘Ed’ EXEC(@SQL) AS LOGIN = ‘MYLAPTOP\Ed’ Beware disk & OS permissions when using xp_cmdshell or any other OS level commands.

13 Saving Output You can insert the results of a dynamic SQL select into a temp table or table variable. This can be very useful in statements where the column list is known, but the contents can vary greatly. Using the OUTPUT keyword on a parameter, you can output data from a dynamic SQL command directly to the parameter. SQL Example: Saving Dynamic SQL Output

14 Bonus: The Crazy Dynamic Pivot PIVOT can allow a row set to be flipped into column headers… …But the column names must be predefined! Dynamic SQL allows for an ad-hoc column structure when you want data to determine this, and not a static list. SQL Example: The Crazy Dynamic Pivot

15 Conclusion Dynamic SQL is very versatile and powerful Only use it when appropriate Dynamic SQL generating dynamic SQL? Always cleanse inputs Always verify security & access to objects Be a neat freak & document thoroughly Also, come to SQL Saturday Albany! http://www.sqlsaturday.com/386/eventhome.aspx How to find me: ed7@alum.rpi.edu @EdwardPollack SQL Server Central Facebook

Download ppt "Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER."

Similar presentations

Understand Database Security Concepts

Understand Database Security Concepts
LCT2506 Internet 2 Further SQL Stored Procedures.

LCT2506 Internet 2 Further SQL Stored Procedures.
A Guide to SQL, Seventh Edition. Objectives Embed SQL commands in PL/SQL programs Retrieve single rows using embedded SQL Update a table using embedded.

A Guide to SQL, Seventh Edition. Objectives Embed SQL commands in PL/SQL programs Retrieve single rows using embedded SQL Update a table using embedded.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
Database Design for DNN Developers Sebastian Leupold.

Database Design for DNN Developers Sebastian Leupold.
Advanced Excel for Finance Professionals A self study material from South Asian Management Technologies Foundation.

Advanced Excel for Finance Professionals A self study material from South Asian Management Technologies Foundation.
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Database Performance Tuning and Query Optimization.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Database Performance Tuning and Query Optimization.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
OracleAS Reports Services. Problem Statement To simplify the process of managing, creating and execution of Oracle Reports.

OracleAS Reports Services. Problem Statement To simplify the process of managing, creating and execution of Oracle Reports.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Tom Castiglia Hershey Technologies

Tom Castiglia Hershey Technologies
Dinamic SQL & Cursor. Why Dinamic SQL ? Sometimes there is a need to dynamically create a SQL statement on the fly and then run that command. This can.

Dinamic SQL & Cursor. Why Dinamic SQL ? Sometimes there is a need to dynamically create a SQL statement on the fly and then run that command. This can.
Module 7 Reading SQL Server® 2008 R2 Execution Plans.

Module 7 Reading SQL Server® 2008 R2 Execution Plans.
Stored Procedures, Transactions, and Error-Handling

Stored Procedures, Transactions, and Error-Handling
Module 9 Designing and Implementing Stored Procedures.

Module 9 Designing and Implementing Stored Procedures.
PowerBuilder Online Courses - by Prasad Bodepudi

PowerBuilder Online Courses - by Prasad Bodepudi
Discovering Computers Fundamentals Fifth Edition Chapter 9 Database Management.

Discovering Computers Fundamentals Fifth Edition Chapter 9 Database Management.
Database Unit Test MSSQL 2008 & VS 2010 Aung Kyaw Myo.

Database Unit Test MSSQL 2008 & VS 2010 Aung Kyaw Myo.

Similar presentations

Ads by Google