Presentation is loading. Please wait.

Presentation is loading. Please wait.

Creating a dynamic search form with database paging Tony Rogerson SQL Server MVP Torver Computer Consultants.

Published byWesley Collins Modified over 9 years ago

Similar presentations

Presentation on theme: "Creating a dynamic search form with database paging Tony Rogerson SQL Server MVP Torver Computer Consultants."— Presentation transcript:

1 Creating a dynamic search form with database paging Tony Rogerson SQL Server MVP Torver Computer Consultants

2 What we trying to do?

3 The presentation Methods of coding the stored procedure Methods of coding the stored procedure –Static SQL method –Dynamic SQL method –Pros and Cons of each approach –SQL Injection/Security –The execution cache ASP.NET (VB.NET) interface ASP.NET (VB.NET) interface –Overview –Coding specifics

4 Static SQL method Same stored procedure parameters Same stored procedure parameters create procedure paging_orders_method2_get @page_number smallint, @rows tinyint, @pages smallint = NULL OUTPUT, @EmployeeID int = NULL, @CustomerID nchar(10) = NULL

5 Static SQL method – ISNULL select * from Orders o left outer join Employees e on e.EmployeeID = o.EmployeeID left outer join Customers c on c.CustomerID = o.CustomerID where o.CustomerID = isnull( @CustomerID, o.CustomerID ) and o.EmployeeID = isnull( @EmployeeID, o.EmployeeID ) order by o.ShippedDate desc Table 'Customers'. Scan count 5, logical reads 10. Table 'Employees'. Scan count 5, logical reads 10. Table 'Orders'. Scan count 1, logical reads 21.

6 Static SQL method – AND/OR Table 'Customers'. Scan count 5, logical reads 10. Table 'Employees'. Scan count 5, logical reads 10. Table 'Orders'. Scan count 2, logical reads 40. select * from Orders o left outer join Employees e on e.EmployeeID = o.EmployeeID left outer join Customers c on c.CustomerID = o.CustomerID where ( o.CustomerID = @CustomerID or o.CustomerID is null ) and ( o.EmployeeID = @EmployeeID or o.EmployeeID is null ) order by o.ShippedDate desc

7 Static SQL method – IF THEN ELSE if @EmployeeID is not null if @CustomerID is not null select.... from Orders o left outer join Employees e on e.EmployeeID = o.EmployeeID left outer join Customers c on c.CustomerID = o.CustomerID where o.CustomerID = @CustomerID and o.EmployeeID = @EmployeeID order by o.ShippedDate desc else select.... from Orders o left outer join Employees e on e.EmployeeID = o.EmployeeID left outer join Customers c on c.CustomerID = o.CustomerID where o.EmployeeID = @EmployeeID order by o.ShippedDate desc else select.... from Orders o left outer join Employees e on e.EmployeeID = o.EmployeeID left outer join Customers c on c.CustomerID = o.CustomerID where o.CustomerID = @CustomerID order by o.ShippedDate desc

8 Static SQL - summary Inflexible for optional parameters Inflexible for optional parameters IF then ELSE is efficient but will give a big plan which increases chances of a recompile. Greater maintenance. IF then ELSE is efficient but will give a big plan which increases chances of a recompile. Greater maintenance. ISNULL and AND/OR will give a general plan and perhaps a very bad plan for the parameter combination. ISNULL and AND/OR will give a general plan and perhaps a very bad plan for the parameter combination. More secure then dynamic SQL. More secure then dynamic SQL.

9 Dynamic SQL - coding if @EmployeeID is not null set @nwhere_clause = @nwhere_clause + ' and o.EmployeeID=@EmployeeID' if @CustomerID is not null set @nwhere_clause = @nwhere_clause + ' and o.CustomerID=@CustomerID' set @nsql = ' select o.OrderID, c.CompanyName, EmployeeName = e.LastName + '', '' + e.FirstName, ShippedDate = CONVERT( varchar(20), o.ShippedDate, 106 ) from Orders o left outer join Employees e on e.EmployeeID = o.EmployeeID left outer join Customers c on c.CustomerID = o.CustomerID ' + @nwhere_clause + ' order by o.ShippedDate desc ' EXEC sp_executesql @nsql, N'@EmployeeID int, @CustomerID nchar(10)', @EmployeeID, @CustomerID

10 Dynamic SQL - summary Specific plan for each iteration. Specific plan for each iteration. Plan is reused. Plan is reused. Use sp_executesql. Use sp_executesql. Parameterise instead of hard coding constants. Parameterise instead of hard coding constants. Be-careful of SQL Injection. Be-careful of SQL Injection. Security implications. Security implications.

11 Security Use ADO.NET SqlCommand object instead of building a SQL string. Use ADO.NET SqlCommand object instead of building a SQL string. SQL Injection: remember to replace a single quote with two single quotes… REPLACE(, ''', '''' ) SQL Injection: remember to replace a single quote with two single quotes… REPLACE(, ''', '''' ) Permission required on base tables used within the dynamic SQL block. However, you can create views over the base tables and permission them instead. Permission required on base tables used within the dynamic SQL block. However, you can create views over the base tables and permission them instead.

12 Execution cache Check master..syscacheobjects Check master..syscacheobjects Pages usecount refcount 111o.CustomerID=@CustomerID 211o.EmployeeID=@EmployeeID and o.CustomerID=@CustomerID 111o.EmployeeID=@EmployeeID Pages usecount refcount 151o.CustomerID=@CustomerID 251o.EmployeeID=@EmployeeID and o.CustomerID=@CustomerID 151o.EmployeeID=@EmployeeID After 5 executions – check usecount – plan reuse!

13 ASP.NET Part Use ViewState( ) to keep track of page number and maximum pages. Use ViewState( ) to keep track of page number and maximum pages. Can’t pick up the output parameter until the datareader has been closed. Can’t pick up the output parameter until the datareader has been closed.

14 Questions

Download ppt "Creating a dynamic search form with database paging Tony Rogerson SQL Server MVP Torver Computer Consultants."

Similar presentations

SQL Server performance tuning basics

SQL Server performance tuning basics
Transact-SQL. 1. Declare float = 10 select * from customers where discnt

Transact-SQL. 1. Declare float = 10 select * from customers where discnt
Module 6: Working with Subqueries. Overview Introduction to Subqueries Using a Subquery as a Derived Table Using a Subquery as an Expression Using a Subquery.

Module 6: Working with Subqueries. Overview Introduction to Subqueries Using a Subquery as a Derived Table Using a Subquery as an Expression Using a Subquery.
Module 9: Implementing Stored Procedures. Introduction to Stored Procedures Creating Executing Modifying Dropping Using Parameters in Stored Procedures.

Module 9: Implementing Stored Procedures. Introduction to Stored Procedures Creating Executing Modifying Dropping Using Parameters in Stored Procedures.
Tools of the trade TSQL CIS 407. SQL Server Tools Books on line! Don’t use sql server authentication –Use windows authentication (safer) for developer.

Tools of the trade TSQL CIS 407. SQL Server Tools Books on line! Don’t use sql server authentication –Use windows authentication (safer) for developer.
Virtual techdays INDIA │ 9-11 February 2011 SQL 2008 Query Tuning Praveen Srivatsa │ Principal SME – StudyDesk91 │ Director, AsthraSoft Consulting │ Microsoft.

Virtual techdays INDIA │ 9-11 February 2011 SQL 2008 Query Tuning Praveen Srivatsa │ Principal SME – StudyDesk91 │ Director, AsthraSoft Consulting │ Microsoft.
Chapter 7 Advanced SQL Database Systems: Design, Implementation, and Management, Sixth Edition, Rob and Coronel.

Chapter 7 Advanced SQL Database Systems: Design, Implementation, and Management, Sixth Edition, Rob and Coronel.
Stored Procedures Dr. Ralph D. Westfall May, 2009.

Stored Procedures Dr. Ralph D. Westfall May, 2009.
MS Access: Database Concepts Instructor: Vicki Weidler.

MS Access: Database Concepts Instructor: Vicki Weidler.
Chapter 9 Using the SqlDataSource Control. References 2206-1.aspx.

Chapter 9 Using the SqlDataSource Control. References aspx.
ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.

ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.
CIS 451: Using ASP.NET Objects with SQL Dr. Ralph D. Westfall February, 2009.

CIS 451: Using ASP.NET Objects with SQL Dr. Ralph D. Westfall February, 2009.
Chapter 7 Advanced SQL Database Systems: Design, Implementation, and Management, Sixth Edition, Rob and Coronel.

Chapter 7 Advanced SQL Database Systems: Design, Implementation, and Management, Sixth Edition, Rob and Coronel.
DAT304 Managing And Executing Stored Procedures For Performance William R. Vaughn Beta V Corporation.

DAT304 Managing And Executing Stored Procedures For Performance William R. Vaughn Beta V Corporation.
Defining Stored Procedures Named Collections of Transact-SQL Statements Encapsulate Repetitive Tasks Five Types (System, Local, Temporary, Remote, and.

Defining Stored Procedures Named Collections of Transact-SQL Statements Encapsulate Repetitive Tasks Five Types (System, Local, Temporary, Remote, and.
Dinamic SQL & Cursor. Why Dinamic SQL ? Sometimes there is a need to dynamically create a SQL statement on the fly and then run that command. This can.

Dinamic SQL & Cursor. Why Dinamic SQL ? Sometimes there is a need to dynamically create a SQL statement on the fly and then run that command. This can.
PART 1 CREATING THE PRODUCT CATALOG. ROADMAP FOR THIS CHAPTER To implement the departments list, you’ll start with the database and make your way to the.

PART 1 CREATING THE PRODUCT CATALOG. ROADMAP FOR THIS CHAPTER To implement the departments list, you’ll start with the database and make your way to the.
Dexterity | CONFIDENTIAL 2009 MRO | Analytics | Insights 1 Stored Procedures.

Dexterity | CONFIDENTIAL 2009 MRO | Analytics | Insights 1 Stored Procedures.
Module 8: Implementing Stored Procedures. Introducing Stored Procedures Creating, Modifying, Dropping, and Executing Stored Procedures Using Parameters.

Module 8: Implementing Stored Procedures. Introducing Stored Procedures Creating, Modifying, Dropping, and Executing Stored Procedures Using Parameters.
Module 9 Designing and Implementing Stored Procedures.

Module 9 Designing and Implementing Stored Procedures.

Similar presentations

Ads by Google