[thelist] mssql stored procedure-using a variable for 'AND' and'OR'

Jay Turley jayturley at gmail.com
Mon Aug 25 21:47:05 CDT 2008


On Mon, Aug 25, 2008 at 4:58 PM, Joel D Canfield <joel at bizba6.com> wrote:
>> Note: if you are building an SQL statement dynamically inside
>> your sproc, and then executing that string, then you are
>> defeating the purpose of using parametised queries - you
>> might as well just use inline SQL.
>
> makes sense

Just wanted to point out that - while I didn't include the script -
the parameters were passed in classic ASP through command object
parameters to provide the type and injection protection that that
inline sql can't. This was not the best example because there was not
a strong need to build the SQL inside the proc, whereas in other very
special cases, there was no other solution I could find.

In most cases, however, building the sql inside the sproc is not the
right way to do things.

>
>> If this is ASP.NET
>
> it's not, it's classic ASP. what next?
>

If you still trust me after Ken's stinging rebuke I'm willing to help.

Jay



More information about the thelist mailing list