Chapter xx - Dynamic SQL

DYNAMIC SQL

The EXEC Command and Dynamic SQL

We’ve already seen that you can use EXEC to run a stored procedure. However, you can also use
the same command to run any valid SQL enclosed in parentheses:

This command will execute the stored procedure called spSimple

CREATE PROC spSimple which we’ve just created, and hence list the certificates.
AS
-- list all the certificates
SELECT * FROM [Certificate] However, you could have done the same thing by executing the
statement in brackets and quotation marks.
GO
-- run this procedure -- list out all of the certificates
EXEC spSimple EXEC('SELECT * FROM [Certificate]')

Wise Owl’s Hint

Dynamic SQL involves building up a valid SQL command to run, and then executing it using the EX

Why not to Use Dynamic SQL

Purists programmers wouldn’t touch dynamic SQL with a bargepole. Here’s why:

Problem Explanation
SQL injection If you build up a long SQL statement to execute, how do you know what it’s going to
do? This is especially the case when the statement is getting parameters from a
website. Malicious users frequently try to input semi-colons into web forms, hoping to
end your SQL statement being built up behind the scenes and begin their own!
Syntax Because the SQL statement you’re constructing is in a text string, there’s no way that
Management Studio can parse it to check that it makes sense.
Speed For the same reason, SQL Server can’t optimise SQL contained in a text string, as it
would do for the same query normally.

Wise Owl’sAdvanced
Hint Hint

You can mitigate to some extent all these disadvantages by using sp_executesql to run your dyna

© Copyright 2022 Page 1

 Chapter xx - Dynamic SQL

Example –Parameterising Row Selection

The procedure below allows you to run any select command against any table:

This procedure takes the following 3 parameters:

CREATE PROC spSelectAnything(
@TableName varchar(100), Parameter What it
@ColumnNames varchar(max),
@SortColumnName varchar(100) @TableName The name of the table from
) which you want to select data.
AS @ColumnNames The columns from this table
you want to display.
@SortColumnNam The name of the column you
-- this procedure uses dynamic SQL e want to sort by
-- to select any columns
-- from any table in any order!
-- string variable to hold SQL The procedure builds up a text string. Suppose that you
-- command we'll accumulate run this procedure with these 3 arguments:
DECLARE @sql VARCHAR(MAX) = -- list out genres
'SELECT ' + EXEC spSelectAnything
@ColumnNames + @TableName='Genre',
' FROM ' + @ColumnNames = 'GenreID,Genre',
@TableName + @SortColumnName='Genre'
' ORDER BY ' +
@SortColumnName Then this debug line will show the SQL command about
-- for debug, show value of this to be executed:
-- text variable
SELECT @sql

-- run it!
EXEC(@sql)

Finally, the procedure executes the command which it’s painstakingly built up to
show the list of genres in genre name order:

© Copyright 2022 Page 2