Building Dynamic SQL Statements

The most useful method for building dynamic SQL is to create a stored procedure which accepts parameters. This part of the series explains how to create some basic stored procedures to generate and execute dynamic SQL statements.

Selecting from any Table

For our first example we'll create a stored procedure which will allow a user to pass in the name of any table via a parameter and which will return the first ten records from that table.

You could also create the same procedure using the sp_executesql stored procedure.

Once you've created the stored procedure you can then call it and pass in the name of any table, as shown below:

Each call to the stored procedure selects the first ten records from the specified table.

Choosing the Number of Records to Display

We can extend the above example by adding a second parameter which allows users to specify how many records they want to display.

Once the procedure has been created you can call it and specify how many records you want from whichever table.

Some sample output from executing these three lines is shown below:

Each call to the stored procedure returns a different number of records from a different table.

Dynamic Criteria

You can use dynamic SQL to make the WHERE clause of a statement variable. The example below creates a procedure which allows any word to be passed in to the criteria of a simple query:

Notice the use of multiple single quotes to concatenate the quotes that will enclose the word passed in via the parameter. Once the procedure has been created you can call it to show any film whose title matches the word you have asked for:

The output from this code is shown below:

There are three films whose names are exactly equal to the text passed into the stored procedure.

We can make the procedure somewhat more flexible by using the LIKE operator along with some wildcards:

Now, rather than having to pass in an exact film title you can search for films whose name contains any word:

The output from the code above is:

Any film whose name contains the word King appears in the results.

Using the IN Operator

Although you can create basic dynamic criteria using simple parameters, you can't easily use this technique with the IN operator.  This operator accepts a comma-separated list of values, as shown below:

You can't use a simple parameter to set the input for the IN operator, but you could use dynamic SQL to do it:

You can now call the procedure passing in as many different values as you like within a single string:

Using Parameters with sp_executesql

We've already mentioned that using the sp_executesql stored procedure can make your dynamic SQL queries faster because they can reuse a cached query plan whereas the simple EXEC statement can't. Another major difference between the two methods is that sp_executesql has extra optional parameters which allow you to set the criteria of a dynamic SQL query.

The basic syntax of the argument list is shown below:

As an example we can create a single parameter for a simple SQL statement like so:

In the code above the first argument contains the SQL statement that we are executing as a unicode string and includes a reference to the parameter called @Length. The second argument contains the definition of the @Length parameter as another unicode string. The final argument sets the value of the parameter that we have defined.  Executing the above code will show all of the films whose running times are 120 minutes.

We can use multiple parameters with this technique, as shown in the code below:

Again, the first argument defines the complete SQL statement and the second argument defines the parameters that are referenced within the SQL statement. The subsequent arguments are then used to set the values of parameters that have been defined.

What's Next?

Now that you've seen several ways to use dynamic SQL it's time to point out one of the hidden dangers. Read the next part of this series to learn about the dreaded SQL injection attack.