Home/ Questions/Q 62969
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T18:33:33+00:00

I’m working on an application for work that is going to query our employee

  • 0

I’m working on an application for work that is going to query our employee database. The end users want the ability to search based on the standard name/department criteria, but they also want the flexibility to query for all people with the first name of ‘James’ that works in the Health Department. The one thing I want to avoid is to simply have the stored procedure take a list of parameters and generate a SQL statement to execute, since that would open doors to SQL injection at an internal level.

Can this be done?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. While the COALESCE trick is neat, my preferred method is:

    CREATE PROCEDURE ps_Customers_SELECT_NameCityCountry     @Cus_Name varchar(30) = NULL     ,@Cus_City varchar(30) = NULL     ,@Cus_Country varchar(30) = NULL     ,@Dept_ID int = NULL     ,@Dept_ID_partial varchar(10) = NULL AS SELECT Cus_Name        ,Cus_City        ,Cus_Country        ,Dept_ID FROM Customers WHERE (@Cus_Name IS NULL OR Cus_Name LIKE '%' + @Cus_Name + '%')       AND (@Cus_City IS NULL OR Cus_City LIKE '%' + @Cus_City + '%')       AND (@Cus_Country IS NULL OR Cus_Country LIKE '%' + @Cus_Country + '%')       AND (@Dept_ID IS NULL OR Dept_ID = @DeptID)       AND (@Dept_ID_partial IS NULL OR CONVERT(varchar, Dept_ID) LIKE '%' + @Dept_ID_partial + '%')

    These kind of SPs can easily be code generated (and re-generated for table-changes).

    You have a few options for handling numbers – depending if you want exact semantics or search semantics.

    • 0