Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 Site Related Forums
 Site Related Discussions
 Today's Version of your Dynamic SQL Articles...

Author  Topic 

AskSQLTeam
Ask SQLTeam Question

0 Posts

Posted - 2006-10-23 : 07:42:52
Steve writes "After reading your Dynamic ORDER BY article at http://www.sqlteam.com/item.asp?ItemID=2209 and your Dynamic WHERE article at http://www.sqlteam.com/item.asp?ItemID=2077 it left me wondering if you still have the same position 5-6 years later about Dynamic ORDER BY and WHERE clauses.

I've been doing a lot of research on SQL Injection prevention methods and everything I've been reading says to stay away from Dynamic SQL. I also saw a webcast recently where people were stating that WHERE X = COALESCE(@Y, X) was a bad thing.

Which leads me to my question.........

In 2006-2007 if you still need to provide a secure means of dynamically changing the WHERE and ORDER BY clauses what is the best way. Should you be using Dynamic SQL are a bunch of CASE Statements and COALESCE functions?

If you have a different position now I'd love to see an article on it.

Thanks for your time and help,
Steve"
   

- Advertisement -