Dynamic T-SQL and how it can be useful
In our projects we have to solve various problems. To solve some of them, we use dynamic T-Sql (hereinafter referred to as dynamic sq l).
What is dynamic sql for ? Everyone decides for himself. In one of the projects, using dynamic sql, we solved the tasks of building dynamic reports, in others - data migration. Also dynamic sql is indispensable in cases when you need to create / change / get data or objects, but the values / names come as parameters. Yes, this may seem absurd, but there are also such tasks.
Next, we will show several examples of how this can be implemented using dynamic sql .
')
There are several ways to execute a dynamic command:
These methods differ radically. On a small example, we will try to explain how they differ.
As can be seen from the query above, we form a dynamic team. If you execute
What's wrong with that? - The request will work, and everyone will be happy. But still, there are several reasons why you should not do this:
What will change when using
What has changed?
For both approaches, query plans are cached, but they are different. These differences are shown in Figure 1 and Figure 2 .
Also, one of the advantages of using
Below is an example of how we solved one of the problems in the project using dynamic sql .
Suppose we have a product (yes it doesn’t matter what it is: a product, a job application form, a personal profile). The point is that each object has its own set of properties (attributes) that characterizes it, and there may be a different number, and they will be of a different type. How to store in a database is an architecture problem.
For the client, a report was needed that was n rows per m columns. Where m was our attribute set. The report was collected on a group of objects or for some object from the group. But the meaning remains the same: each report contains a different number of columns for each group of objects.
Since the connection between objects initially existed, the solution was chosen without changing the database architecture. In our opinion, there may be several solutions to this problem:
Link to scripts for creating tables and query .
The report will be based on the usual query:
Let's look at what we wrote here:
What is dynamic sql for ? Everyone decides for himself. In one of the projects, using dynamic sql, we solved the tasks of building dynamic reports, in others - data migration. Also dynamic sql is indispensable in cases when you need to create / change / get data or objects, but the values / names come as parameters. Yes, this may seem absurd, but there are also such tasks.
Next, we will show several examples of how this can be implemented using dynamic sql .
')
There are several ways to execute a dynamic command:
- With the use of the keyword
EXEC/EXECUTE; - C using the stored procedure
sp_executesql
These methods differ radically. On a small example, we will try to explain how they differ.
Sample code with EXEC / EXECUTE
DECLARE @sql varchar(1000) DECLARE @columnList varchar(75) DECLARE @city varchar(75) SET @columnList = 'CustomerID, ContactName, City' SET @city = 'London' SELECT @sql = ' SELECT CustomerID, ContactName, City ' + ' FROM dbo.customers WHERE 1 = 1 ' SELECT @sql = @sql + ' AND City LIKE ''' + @city + '''' EXEC (@sql) As can be seen from the query above, we form a dynamic team. If you execute
select @sql , the result will be the following: SELECT CustomerID, ContactName, City FROM customers WHERE City = 'London' What's wrong with that? - The request will work, and everyone will be happy. But still, there are several reasons why you should not do this:
- When writing a command, it is very easy to make a mistake with the number "'", since additional “'” must be specified to pass the text value to the request.
- With such a query, Sql injections are possible (SQL Injection). For example, it is worth setting a value for
@citylike thisset @city = '''DROP TABLE customers--'''selectoperation succeeds, asDROP TABLE customersoperation. - It is possible that you will have several variables containing the codes of your commands. Something like
EXEC(@sql1 + @sql2 + @sql3).
What difficulties may arise here?
It must be remembered that each command will work separately, although at first glance it may seem that the concatenation operation(@sql1 + @sql2 + @sql3)will be performed, and then the general command will be executed. You also need to remember that a general limitation is imposed on the EXEC command parameter of 4000 characters. - There is an implicit type conversion, since Parameters are passed as a string.
What will change when using
sp_executesql ? - It's easier for a developer to write code and debug it, because The code will be written almost like a normal Sql query.Sample code with sp_executesql
DECLARE @sqlCommand varchar (1000) DECLARE @columnList varchar (75) DECLARE @city varchar (75) SET @city = 'London' SET @sqlCommand = 'SELECT CustomerID, ContactName, City FROM customers WHERE City = @city' EXECUTE sp_executesql @sqlCommand, N'@city nvarchar(75)', @city = @city What has changed?
- Unlike
EXECUTEwhen usingsp_executesql, no type casting is necessary if we use typed parameterssp_executesql. - This solves the problem with the extra "'".
- The security problem is solved - Sql injection (SQL Injection).
For both approaches, query plans are cached, but they are different. These differences are shown in Figure 1 and Figure 2 .
Receiving a request plan
SELECT q.TEXT,cp.usecounts,cp.objtype,p.*, q.*, cp.plan_handle FROM sys.dm_exec_cached_plans cp CROSS apply sys.dm_exec_query_plan(cp.plan_handle) p CROSS apply sys.dm_exec_sql_text(cp.plan_handle) AS q WHERE q.TEXT NOT LIKE '%sys.dm_exec_cached_plans %' and cp.cacheobjtype = 'Compiled Plan' AND q.TEXT LIKE '%customers%' Plan a query when using exec
Query plan when using sp_executesql
Also, one of the advantages of using
sp_executesql is the ability to return a value through the OUT parameter.Below is an example of how we solved one of the problems in the project using dynamic sql .
Suppose we have a product (yes it doesn’t matter what it is: a product, a job application form, a personal profile). The point is that each object has its own set of properties (attributes) that characterizes it, and there may be a different number, and they will be of a different type. How to store in a database is an architecture problem.
For the client, a report was needed that was n rows per m columns. Where m was our attribute set. The report was collected on a group of objects or for some object from the group. But the meaning remains the same: each report contains a different number of columns for each group of objects.
Since the connection between objects initially existed, the solution was chosen without changing the database architecture. In our opinion, there may be several solutions to this problem:
- Use a reporting system, for example, MS Sql Reporting Service . Create a matrix report, and as a request we will have a “simple”
Select. Why we did not do that? There were not many reports in the project to implement SSRS there. - Use the same “simple”
selectand on the server side already create the required “form” DataSet . Yes, the problem was solved initially, when there was very little data on the goods. As soon as there was a lot of data, the time for collecting the report became beyond the established timeout . - Use
Pivotin sql. Yes, a great solution when you know that you have only these attributes, and there will be no new ones. And what to do when the number of attributes often changes. And again, for each group of objects we have our own set of attributes, we will again return to creating a procedure for each group of objects. Not a very convenient solution, is it? - And if you use Pivot, but add a little dynamic sql there ? - Yes, this is a decision that has the right to life. We will describe it as an example of using dynamic sql ...
Link to scripts for creating tables and query .
The report will be based on the usual query:
Main report code
SELECT p.Id as ProductID, p.Name as [], pcp.Name as PropertiesName, vpp.Value as Value FROM dbo.Products p INNER JOIN dbo.PropertiesCategoryOfProducts pcp ON pcp.CategoryOfProductsId = p.CategoryOfProductsId INNER JOIN dbo.ValueOfProductProperty vpp ON vpp.ProductID = p.Id and vpp.PropertiesCategoryOfProductsId = pcp.Id where p.CategoryOfProductsId = @CategoryOfProductsId Request code to build a report
SELECT p.Id as ProductID, p.Name as [], pcp.Name as PropertiesName, vpp.Value as Value FROM dbo.Products p INNER JOIN dbo.PropertiesCategoryOfProducts pcp ON pcp.CategoryOfProductsId = p.CategoryOfProductsId INNER JOIN dbo.ValueOfProductProperty vpp ON vpp.ProductID = p.Id and vpp.PropertiesCategoryOfProductsId = pcp.Id where p.CategoryOfProductsId = @CategoryOfProductsId declare @CategoryOfProductsId int = 1 declare @PivotColumnHeaders nvarchar(max)= REVERSE(STUFF(REVERSE((select '[' + Name + ']' + ',' as 'data()' from dbo.PropertiesCategoryOfProducts t where t.CategoryOfProductsId = @CategoryOfProductsId FOR XML PATH('') )),1,1,'')) if(@PivotColumnHeaders>'') declare @PivotTableSQL nvarchar(max) BEGIN SET @PivotTableSQL = N' SELECT * from (SELECT p.Id as ProductID, p.Name as [], pcp.Name as PropertiesName, vpp.Value as Value FROM dbo.Products p INNER JOIN dbo.PropertiesCategoryOfProducts pcp ON pcp.CategoryOfProductsId = p.CategoryOfProductsId INNER JOIN dbo.ValueOfProductProperty vpp ON vpp.ProductID = p.Id and vpp.PropertiesCategoryOfProductsId = pcp.Id where p.CategoryOfProductsId = @CategoryOfProductsId ) as Pivot_Data PIVOT ( MIN(Value) FOR PropertiesName IN ( ' + @PivotColumnHeaders + ' ) ) AS PivotTable ' EXECUTE sp_executesql @PivotTableSQL, N'@CategoryOfProductsId int', @CategoryOfProductsId = @CategoryOfProductsId; END Let's look at what we wrote here:
- Initializing a variable with the value of our product category -
declare @CategoryOfProductsId int = 1declare @CategoryOfProductsId int = 1 - Next, we need to get a list of columns for our product category, but they should be enclosed in “[]” brackets and listed in “,” as required by the syntax of the
Pivotfunction -Getting a list of columns for the category of goodsdeclare @PivotColumnHeaders nvarchar(max)= REVERSE(STUFF(REVERSE((select '[' + Name + ']' + ',' as 'data()' from dbo.PropertiesCategoryOfProducts t where t.CategoryOfProductsId = @CategoryOfProductsId FOR XML PATH('') )),1,1,''))
Well, then everything is simple: when executing the code, the list of columns for thePivotfunction will be substituted from@PivotColumnHeaders@PivotColumnHeaders
If we executeselect @PivotTableSQL, we will get the query that we would have to write manually without using dynamic sql.
The result of this request will be a report of this type:
In conclusion, it should be noted once again using dynamic sql , we can at first glance solve non-trivial tasks in trivial ways. To do this, sometimes you need to look at the problem from the other side.
Source: https://habr.com/ru/post/272807/
All Articles