Results 1 to 14 of 14

Thread: [RESOLVED] Allow users to build WHERE clauses

Threaded View

  1. #1

    Thread Starter
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Resolved [RESOLVED] Allow users to build WHERE clauses

    I need to allow users to build a WHERE clause.

    Basically I am in a STORED PROCEDURE that allows any table to be selected from - by specifying the table name in a parameter to the SPROC. The SPROC builds the SELECT statement and then does an EXEC()

    Code:
    .
    ... lots of sql removed here ...
    .
    Declare @ES nvarchar(max)
    
    Declare @KW varchar(max)
    If @Kiosk=1
          Set @KW=' Where 1=2'
    Else  If IsNull(@RowKey,'')<>''
                Set @KW=' Where '+@RKF+'='+@RowKey
          Else  Set @KW=''
    
    Declare @FT varchar(max)
    If @Filter=1
          Set @FT='Top 1000 '
    Else  Set @FT=''
    
    Set @ES='Select ' + @FT + @SL + @KS + ','''' "awcRowDirty" From '+@TblName+@KW+' Order by 1,2'
    --select @ks,@es
    Exec (@ES)
    This has been in use for a while - returning all the rows of the table - and allowing client-side filtering in a web app.

    I am now encountering tables with insane numbers of rows - 8 million in a payroll history table for instance. And to make matters worse, the web server is hosted and the "database" I am pulling from is hidden - for security purposes - behind a "linked server" entry in the local web server database (that linked server DB resides on a client machine somewhere else that is firewall "open" to my web host).

    Talk about convoluted!

    So - my approach so far, limit the initial pull to TOP 1000, for instance - so I can at least expose the web app to what columns are available and potential data types for those columns.

    I now need to allow the user to enter the column to "filter" on and the data values to use.

    Simple ones - no problem. Fiscal Year - enter a number like 2020.

    Vendor Name - more complex. Need to allow for wildcards - so they could do %Verizon%.

    I am concerned about sql injection - not malicious - more accidental. Entering free text that could contain delimiters that I need to detect and remove.

    Anyone ever go down a path like this?

    TIA!
    Last edited by szlamany; Apr 22nd, 2021 at 06:28 AM.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width