Posted by Erland Sommarskog on 06/07/06 21:24

John (johnxhc@yahoo.com) writes:
> Unfortunately, the client supply the where clause, which could be
> anything, such as
> (Lastname='johnson' or firstname='smith') and (city='Los
> Angeles') or productid in (234,23434,33) ....
> So it is very hard for me to break the search criteria into different
> part and do a union considering the different logical operator
> combination

And who got that bright idea?

Sending WHERE clauses as parameters is a really bad idea. Either you
compose the entire SQL statement in the client. Or you have all the
SQL in the stored procedure. What you have now is the worst of both
worlds.

It will be very difficult to work well. And obvoiusly there is a risk
with SQL injection. And the procedure cache will be a waste.

Back to the drawing board, if you want to hear my opinion.



--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

• Next in forum: Re: SQL Union Problems When Trying to Retrieve Random Records
• Prev in forum: Re: Challenge: Can you optimize this? (summary)
• Thread view: Re: Tough SQL problem, need expert advice!!!

[Reply to this message]