Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2000 Forums
 SQL Server Development (2000)
 SP, Dynamic SQL and Table Permissions

Author  Topic 

uberbloke
Yak Posting Veteran

67 Posts
Posted - 2002-01-18 : 09:47:27
I have a database (good start) on which users are explicitly denyed SELECT, INSERT, DELETE, UPDATE on all tables, the application is web based with a number of different logins.

ALL the access is via SP's.

One page needs three dynamic inputs to a query (order by field, sort direction and all or single company).

This needs dynamic sql.

Which gets executed in the SP (fine), but the sql is dynamically generated and gets applied directly on to the table, which throws an error 'cause that user has no SELECT permissions on tables only EXEC permissions on SPs!

What can I do?

(I have already thought about writing X number of queries to cover all possible senarios and then using goto or a case in the sp to execute the appropriate code -- but this is going to be a support nightmare when they want to add another sort field or change how many companies are retured!)

Any advice gratefully received.

smccreadie
Aged Yak Warrior

505 Posts
Posted - 2002-01-18 : 10:06:38
You can create a view that is basically select * from tblname and assign permissions to it. That way users aren't touching the tables directly.
Go to Top of Page

uberbloke
Yak Posting Veteran

67 Posts
Posted - 2002-01-18 : 10:36:16
will that fix the requirement to have dynamic order by and direction criteria?

if so, how?

Cheers :-)
Go to Top of Page

smccreadie
Aged Yak Warrior

505 Posts
Posted - 2002-01-18 : 11:36:05
Actually, as I think about it more - create the dynamic SQL inside the SPROC.

Here's a SPROC I wrote that takes some dynamic parameters. The end has the dynamic statement.



CREATE PROCEDURE purchases_top_dollar_down_compare

	@beg_date datetime,
	@end_date datetime,
	@compare_start_dt datetime,
	@compare_end_dt datetime,
	@location char(1),
	@records_to_print int -- the number of records to print, 0 will return all rows.
AS

SET NOCOUNT ON

CREATE TABLE #top_dollar_down (generic_drug varchar(50), total_current_period money,
				total_compare_period money, variance money)

--get the drugs and the totals for the first period
INSERT INTO #top_dollar_down (generic_drug, total_current_period)

SELECT ECGNAME, SUM(EXTENDED) AS total
FROM reporting_view3 
WHERE (HDINVDATE >= @beg_date and HDINVDATE <= @end_date and in_pt_or_out_pt = @location)

GROUP BY ECGNAME

--SELECT * FROM #top_dollar_down
--Now add in the comparative period

Create Table #tdd_compare (gen_name varchar(50), compare_period money)
	INSERT INTO #tdd_compare (gen_name, compare_period)

SELECT ECGNAME, SUM(EXTENDED)
FROM reporting_view3 
WHERE (HDINVDATE >= @compare_start_dt and HDINVDATE <= @compare_end_dt and in_pt_or_out_pt = @location)
GROUP BY ECGNAME

--select * from #tdd_compare
--APPEND IN LAST YEAR'S DATA FOR EXPENSES
UPDATE #top_dollar_down
	SET #top_dollar_down.total_compare_period = #tdd_compare.compare_period from #tdd_compare where #tdd_compare.gen_name =#top_dollar_down.generic_drug

drop table #tdd_compare

--CALCULATE THE VARIANCE
UPDATE #top_dollar_down
	SET variance = total_current_period - total_compare_period

DECLARE @SQL nvarchar(500)

IF @records_to_print = 0 
	SELECT * FROM #top_dollar_down	ORDER BY variance desc
Else
BEGIN
SET @SQL = N'SELECT TOP ' + CAST(@records_to_print as varchar) + ' * from #top_dollar_down
	ORDER BY variance desc'

exec sp_executesql @SQL
END
DROP TABLE #top_dollar_down
GO


You can plug more dynamic SQL in if you want (sort ASC or DESC).

Edited by - smccreadie on 01/18/2002 11:38:23
Go to Top of Page

Teroman
Posting Yak Master

115 Posts
Posted - 2002-01-18 : 12:19:23
in my experience you still cant execute dynamic sql in a proc, even if you have permission on the proc, I'm in the same situation as uberbloke

id just write some funky(ish) sql!!

have parameters @company (default to null), @sortfield and @sortdirection

select * from company
where company = isnull(@company, company)
order by
case
when @sortfield = 'company' and @sortdirection = 'desc' then company desc
when @sortfield = 'company' and @sortdirection = 'asc' then company asc
when @sortfield = 'town' and @sortdirection = 'desc' then company desc
--etc...
else phoneno desc --or whatever
end

hope this is ok

col
Go to Top of Page

uberbloke
Yak Posting Veteran

67 Posts
Posted - 2002-01-21 : 04:38:16
CHEERS!!!!!!!!!

I couldn't get the case working with the direction {asc|desc} but it was close enough for me to write something not too horrible

I love sql team!
Go to Top of Page

Nazim
A custom title

1408 Posts
Posted - 2002-01-21 : 07:50:36
how about a stored procedure on this lines


create procedure Tables(@mTablename varchar(255),@mColumnSort varchar(255),@mDirectionSort varchar(5),@mRowcount int)
declare @mqry(8000)
set Rowcount @mRowcount
select @mqry="select * from "+@mTablename + " Order by "+@mColumnSort +" "+@mDirectionSort
set Rowcount 0

HTH

--------------------------------------------------------------
Dont Tell God how big your Problem is , Tell the Problem how Big your God is
Go to Top of Page

Teroman
Posting Yak Master

115 Posts
Posted - 2002-01-21 : 08:03:11
this still contains dynamic sql, so the permissions aren't resolved(right word?) until the proc is run, so you need select on the tables underneath.

having case statements + isnulls is th best way ive found to do it, so far.

biggest pain has been doing cross-tab reports, need to hard code the tab matrix thingy which isnt nice

col
Go to Top of Page

robvolk
Most Valuable Yak

15732 Posts
Posted - 2002-01-21 : 09:58:23
quote:
biggest pain has been doing cross-tab reports, need to hard code the tab matrix thingy which isnt nice


Have you tried these yet?

http://www.sqlteam.com/item.asp?ItemID=2955
http://www.sqlteam.com/redir.asp?ItemID=5942
http://www.sqlteam.com/redir.asp?ItemID=2840

They're all dynamic cross-tab creators.
Go to Top of Page

Teroman
Posting Yak Master

115 Posts
Posted - 2002-01-21 : 11:21:34
read them, but this is all about NOT being allowed to use dynamic sql, so im afraid their use is like that of a bicycle to a fish

not a lot

interesting view into the mind of some ppl though ;)
Go to Top of Page

nr
SQLTeam MVY

12543 Posts
Posted - 2002-01-21 : 15:13:10
Unfortunatly any dynamic sql will need permission on the objects. Same as accessing a remote database.
Your situation can probably be resolved by something like this though

select ...
where (company = @company or @company is null)
order by
case when @direction <> 'asc' then null
else case @fld when 'company' then company when 'name' then name end asc ,
case when @direction <> 'desc' then null
else case @fld when 'company' then company when 'name' then name end desc



==========================================
Cursors are useful if you don't know sql.
Beer is not cold and it isn't fizzy.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site