Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
AskSQLTeam
Ask SQLTeam Question
0 Posts |
 Posted - 2006-10-23 : 07:42:52
|
| Steve writes "After reading your Dynamic ORDER BY article at http://www.sqlteam.com/item.asp?ItemID=2209 and your Dynamic WHERE article at http://www.sqlteam.com/item.asp?ItemID=2077 it left me wondering if you still have the same position 5-6 years later about Dynamic ORDER BY and WHERE clauses.I've been doing a lot of research on SQL Injection prevention methods and everything I've been reading says to stay away from Dynamic SQL. I also saw a webcast recently where people were stating that WHERE X = COALESCE(@Y, X) was a bad thing.Which leads me to my question.........In 2006-2007 if you still need to provide a secure means of dynamically changing the WHERE and ORDER BY clauses what is the best way. Should you be using Dynamic SQL are a bunch of CASE Statements and COALESCE functions?If you have a different position now I'd love to see an article on it.Thanks for your time and help,Steve" |
|
|
|
|
|
Today's Version of your Dynamic SQL Articles...