| Author |
Topic |
|
mynkow
Starting Member
12 Posts |
 Posted - 2008-10-03 : 14:12:49
|
| Hi,I want to create a stored procedure with param @aTableName. The statement will look like this.SELECT * FROM @aTableNameIs it possible and if not please someone explain why.Thank you! |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-10-03 : 14:20:22
|
its possible but you've to use dynamic sql like belowDECLARE @sql varchar(1000)set @sql='SELECT * FROM '+@aTableNameEXEC (@sql) but question is why do you want to pass the table name dynamically? |
 |
|
|
mynkow
Starting Member
12 Posts |
Posted - 2008-10-03 : 15:50:42
|
| Hithanks for the answer. I am not very good sql programmer. I have a question about the code snippet you post. Is it part of the stored procedure that I want to create or another separate stored procedure/function. "but question is why do you want to pass the table name dynamically?"I have to create big website. All data from the DB will be retrieved by stored procedures. I want to create one stored procedure that gets all fields from a table and that table is actually the param. Doing this I will decrease the number of the stored procedures. And here comes my next question.Is there any way to organize the stored procedures in MSSQL Server 2005 like putting them in different folder. It will be difficult to manage 100-200 stored procedures. The only way managing stored procedures that I found is to name each SP properly and then filter them each time I want to find particular SP. This is very inconvenient. |
|
|
|
hanbingl
Aged Yak Warrior
652 Posts |
Posted - 2008-10-03 : 17:24:27
|
| sounds like you need a DAO layer :) |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2008-10-03 : 17:26:29
|
quote:
Originally posted by mynkow
"but question is why do you want to pass the table name dynamically?"I have to create big website. All data from the DB will be retrieved by stored procedures. I want to create one stored procedure that gets all fields from a table and that table is actually the param. Doing this I will decrease the number of the stored procedures. And here comes my next question.
This is very bad programming in SQL Server. It will suffer from weak security and bad performance.We have thousands of stored procedures.Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/Subscribe to my blog |
|
|
|
mynkow
Starting Member
12 Posts |
Posted - 2008-10-03 : 18:48:08
|
quote:
Originally posted by tkizer
quote:
Originally posted by mynkow
"but question is why do you want to pass the table name dynamically?"I have to create big website. All data from the DB will be retrieved by stored procedures. I want to create one stored procedure that gets all fields from a table and that table is actually the param. Doing this I will decrease the number of the stored procedures. And here comes my next question.
This is very bad programming in SQL Server. It will suffer from weak security and bad performance.We have thousands of stored procedures.Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/Subscribe to my blog
What is the security problem here? How you manage so many SP. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2008-10-06 : 12:34:49
|
| Dynamic SQL requires direct table level access. When you are using stored procedures without dynamic SQL, you only have to grant execute on the stored procedure. This means that a user can't connect and query the tables but rather is limited to only what the stored procedures does. If you don't use dynamic SQL, SQL injection is not possible. It's easy to manage that many stored procedures when you have the proper source control and processes in place. Plus we have multiple developers managing them. It is pointless to use stored procedures if you design a system like you are envisioning. You might as well use inline SQL (with parameterized queries, of course). There is no benefit to stored procedures whatsoever with your approach.Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/Subscribe to my blog |
|
|
|
mynkow
Starting Member
12 Posts |
Posted - 2008-10-07 : 02:24:18
|
| "It is pointless to use stored procedures if you design a system like you are envisioning. You might as well use inline SQL (with parameterized queries, of course). There is no benefit to stored procedures whatsoever with your approach."You are wrong here :) The database server will be separate machine. One year ago I created a maintenance program and all SQL statements were within the program. When we start it the CPU goes 90-100%. (the program is running on Server1 and the DB is on Server2). Then we transform all SQL statements in the program to Stored Procedures. The CPU now is 20-30%.I do not understand how source control can organize my Stored Procedures? |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-10-07 : 02:41:20
|
quote:
Originally posted by mynkow
"It is pointless to use stored procedures if you design a system like you are envisioning. You might as well use inline SQL (with parameterized queries, of course). There is no benefit to stored procedures whatsoever with your approach."You are wrong here :) The database server will be separate machine. One year ago I created a maintenance program and all SQL statements were within the program. When we start it the CPU goes 90-100%. (the program is running on Server1 and the DB is on Server2). Then we transform all SQL statements in the program to Stored Procedures. The CPU now is 20-30%.I do not understand how source control can organize my Stored Procedures?
By using a source control mechanism you can 1.create a folder structure based on how you want to organise the stored procedures and add the procedure scripts to it2.you can adopt a policy wherein stored procedures created should be only added to appropriate folder in source control (like alphabetically,as per db where its created...)3. you can also control access to appropriate folders in source control to required people alone to prevent some others from adding or modifying scripts in it. |
|
|
|
mynkow
Starting Member
12 Posts |
Posted - 2008-10-07 : 03:15:04
|
quote:
Originally posted by visakh16
quote:
Originally posted by mynkow
"It is pointless to use stored procedures if you design a system like you are envisioning. You might as well use inline SQL (with parameterized queries, of course). There is no benefit to stored procedures whatsoever with your approach."You are wrong here :) The database server will be separate machine. One year ago I created a maintenance program and all SQL statements were within the program. When we start it the CPU goes 90-100%. (the program is running on Server1 and the DB is on Server2). Then we transform all SQL statements in the program to Stored Procedures. The CPU now is 20-30%.I do not understand how source control can organize my Stored Procedures?
By using a source control mechanism you can 1.create a folder structure based on how you want to organise the stored procedures and add the procedure scripts to it2.you can adopt a policy wherein stored procedures created should be only added to appropriate folder in source control (like alphabetically,as per db where its created...)3. you can also control access to appropriate folders in source control to required people alone to prevent some others from adding or modifying scripts in it.
I know what the source control can do. But the SC only keeps versions of my code. When I want to change one stored procedure or I want simply to find it I will search in MS SQL Server, not in source control. Source Control is something like backup system not managing system. |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-10-07 : 03:52:32
|
quote:
Originally posted by mynkow
[quote]Originally posted by visakh16I know what the source control can do. But the SC only keeps versions of my code. When I want to change one stored procedure or I want simply to find it I will search in MS SQL Server, not in source control. Source Control is something like backup system not managing system.
thats where policy comes into picture. if your policy is such that the code can be promoted to db only by checking in through SC, the steps will be to get the latest code from SC, make your change and checking it in and then asking for approval. Only persions with approval rights will have rights to run code on the db. this way you can manage what all changes are made to db over time and also track who made a change. |
|
|
|
|
Stored procedure with param