Dynamic SQL Writing Efficient Queries on the Fly

Slides:



Advertisements
Similar presentations
Understand Database Security Concepts
Advertisements

LCT2506 Internet 2 Further SQL Stored Procedures.
Concepts of Database Management Sixth Edition
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Sql Server Advanced Features MIS 424 Professor Sandvig.
Advanced Excel for Finance Professionals A self study material from South Asian Management Technologies Foundation.
Chapter 4 The Relational Model 3: Advanced Topics Concepts of Database Management Seventh Edition.
Dinamic SQL & Cursor. Why Dinamic SQL ? Sometimes there is a need to dynamically create a SQL statement on the fly and then run that command. This can.
Stored Procedures, Transactions, and Error-Handling
Module 9 Designing and Implementing Stored Procedures.
Discovering Computers Fundamentals Fifth Edition Chapter 9 Database Management.
Database Unit Test MSSQL 2008 & VS 2010 Aung Kyaw Myo.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
7 1 Chapter 7 Introduction to Structured Query Language (SQL) Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
What does C store? >>A = [1 2 3] >>B = [1 1] >>[C,D]=meshgrid(A,B) c) a) d) b)
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
SQL Fundamentals  SQL: Structured Query Language is a simple and powerful language used to create, access, and manipulate data and structure in the database.
A Guide to SQL, Eighth Edition Chapter Eight SQL Functions and Procedures.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
NSF DUE ; Wen M. Andrews J. Sargeant Reynolds Community College Richmond, Virginia.
Learningcomputer.com SQL Server 2008 –Views, Functions and Stored Procedures.
Quick Test Professional 9.2. Testing Process Preparing to Record Recording Enhancing a Test Debugging Running the Test and Analyzing the Results Reporting.
Stored Procedures / Session 4/ 1 of 41 Session 4 Module 7: Introducing stored procedures Module 8: More about stored procedures.
SQL Query Analyzer. Graphical tool that allows you to:  Create queries and other SQL scripts and execute them against SQL Server databases. (Query window)
Text TCS INTERNAL Oracle PL/SQL – Introduction. TCS INTERNAL PL SQL Introduction PLSQL means Procedural Language extension of SQL. PLSQL is a database.
Module 9: Using Advanced Techniques. Considerations for Querying Data Working with Data Types Cursors and Set-Based Queries Dynamic SQL Maintaining Query.
SQL Triggers, Functions & Stored Procedures Programming Operations.
Create Stored Procedures and Functions Database Management Fundamentals LESSON 2.4.
Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.
CHAPTER 7 LESSON B Creating Database Reports. Lesson B Objectives  Describe the components of a report  Modify report components  Modify the format.
SQL IMPLEMENTATION & ADMINISTRATION Indexing & Views.
Web Database Programming Using PHP
More SQL: Complex Queries, Triggers, Views, and Schema Modification
Getting started with Accurately Storing Data
Creating Database Objects
Unit 2 Technology Systems
CS4222 Principles of Database System
Query Optimization Techniques
TABLES AND INDEXES Ashima Wadhwa.
Stored Procedures.
SQL and SQL*Plus Interaction
Stored Procedures – Facts and Myths
Outsourcing Database Administration
Web Database Programming Using PHP
Dynamic SQL: Writing Efficient Queries on the Fly
Chapter 2: System Structures
Efficiently Searching Schema in SQL Server
Building Effective Backups
Dynamic SQL Writing Efficient Queries on the Fly
Microsoft Access Illustrated
Database Performance Tuning and Query Optimization
DevOps Database Administration
DevOps Database Administration
Query Optimization Techniques
7 Arrays.
Chapter 2: System Structures
Dynamic SQL: Writing Efficient Queries on the Fly
Using Table Expressions
DBA for ~4+years, IT Professional for 7.5 years.
7 Arrays.
Chapter 8 Advanced SQL.
Chapter 11 Database Performance Tuning and Query Optimization
Dynamic Sql Not so scary?
Diving into Query Execution Plans
Query Optimization Techniques
Understanding Core Database Concepts
Creating Database Objects
Creating and Using Calendar Tables
Presentation transcript:

Dynamic SQL Writing Efficient Queries on the Fly Ed Pollack DATABASE Administrator Commerce Hub

Coming Soon… Dynamic SQL: Applications, Performance, and Security: http://www.amazon.com/Dynamic-SQL-Applications-Performance- Security/dp/1484218108

What is Dynamic SQL? Build up a TSQL statement as a character string. Can incorporate unknowns into the SQL statement: variables, parameters, and table data. Statements can be simple and executed all at once, or built up over the course of a stored proc, in order to handle more complex logic. String manipulation functions can be used to facilitate creating the command string. Quick SQL Example: Dynamic SQL basics.

Advantages of Dynamic SQL Optional or custom searches. Dynamic WHERE, GROUP BY, HAVING, TOP X, ORDER BY, windowing functions, etc… Can greatly speed up complex queries where, at any given time, only a small amount of the SQL is needed. Generate large or complex SQL statements quickly and/or automatically. Execute TSQL on other databases or servers.

Dynamic SQL’s Weaknesses Character strings with apostrophes MUST always be managed correctly (SQL injection) Dynamic SQL can become very complex, difficult to read, hard to maintain and to debug. Permissions are different than with standard SQL. Unexpected results from unexpected input. Dynamic SQL (within quotes) always compiles successfully, but could error on execution. Cannot use dynamic SQL in functions.

Basic Tips for Writing Better Dynamic SQL Document thoroughly!!! Debugging: Use PRINT statements liberally to preview SQL text Test thoroughly all use cases, especially “dumb” input For complex procs, consider a @debug parameter Write dynamic SQL text just like you would regular SQL, with similar spacing and indenting. Always check spacing! NVARCHAR vs. VARCHAR (use the right one!) SQL Example: Good dynamic SQL Style

Scope Each dynamic SQL statement occurs in its own local scope! Variables & objects declared in your dynamic SQL statement will not be available elsewhere in your stored proc, or in other dynamic SQL statements. # temp tables will be unavailable outside of a dynamic SQL statement. ## temp tables can be created in dynamic SQL & used anywhere (beware security/dupes/misuse)

Efficiently Generating Lists Dynamic SQL can be used to quickly build lists--- either from variable inputs, or from columns of data in target tables. SQL Example: Efficiently Generating Lists From Table Data

sp_executesql System procedure that allows SQL text to be efficiently executed. Must use NVARCHAR for command string. Parameters can be passed in. Output parameters can be specified so that data can be retrieved from the dynamic SQL. Allows for execution plan reuse (if desired). SQL Example: sp_executesql

Parameter Sniffing Using sp_executesql will allow for plan reuse and force parameter sniffing. Using EXECUTE/EXEC will cause the statement to be executed completely dynamically. Queries are cached based on their EXACT text. A stored proc or sp_executesql allows their contents to be cached, with the parameters handled separately. Parameter sniffing is generally a good feature. It is how SQL Server reuses execution plans. In some scenarios, we may want to change this, but this will typically be rare.

Parameter Sniffing: SQL Example

SQL Injection SQL Example: SQL Injection Converting quotes into double-quotes is a common solution, but not necessarily good enough! Ensure security is limited enough to not allow purposeful (or accidental) access. This counts for user SQL accounts, but also for web logins or process accounts. Use sp_executesql for all searches w/ user input. Never expose error messages to the end user! Use QUOTENAME() for database objects. Use dbo (or schema name) with all object names.

SQL Injection (cont)

Permissions & Security Dynamic SQL does not benefit from ownership chaining! Ensure the user running dynamic SQL has the correct permissions. EXEC(@SQL) AS USER = ‘Ed’ EXEC(@SQL) AS LOGIN = ‘MYLAPTOP\Ed’ Beware disk & OS permissions when using xp_cmdshell or any other OS level commands.

Saving Output You can insert the results of a dynamic SQL select into a temp table or table variable. This can be very useful in statements where the column list is known, but the contents can vary greatly. Using the OUTPUT keyword on a parameter, you can output data from a dynamic SQL command directly to the parameter. SQL Example: Saving Dynamic SQL Output

Bonus: The Crazy Dynamic Pivot PIVOT can allow a row set to be flipped into column headers… …But the column names must be predefined! Dynamic SQL allows for an ad-hoc column structure when you want data to determine this, and not a static list. SQL Example: The Crazy Dynamic Pivot

Applications and Ideas SQL Server schema search. SQL Server schema documentation. Backups Index Maintenance …

Conclusion Dynamic SQL is great, but only use when needed. Always cleanse inputs Always verify security & access to objects Be a neat freak & document thoroughly Be creative! Come to SQL Saturday Albany on July 30th!!! http://www.sqlsaturday.com/513 How to find me: ed7@alum.rpi.edu @EdwardPollack SQL Server Central SQL Shack Facebook