SQL Server: Dynamic where-clause

Question

Problem:

Ajax suggest-search on [n] ingredients in recipes. That is: match recipes against multiple ingredients.

For instance:

Answer 1

You could at least parametrize the where clausule to avoid SQL injection, something alike:

using System.Data;
using System.Data.SqlClient;
using System.Text;

class Foo
{
    public static void Main ()
    {
        string[] parameters = {"salt", "water", "flower"};
        SqlConnection connection = new SqlConnection ();
        SqlCommand command = connection.CreateCommand ();
        StringBuilder where = new StringBuilder ();
        for (int i = 0; i < parametes.Length; i++)
        {
            if (i != 0)
                where.Append (",");
            where.AppendFormat ("@Param{0}", i);
            command.Parameters.Add (new SqlParameter ("Param" + i, parameters [i]));
        }
    }
}

Answer 2

You have two options. If you're using SQL Server 2008 (or Oracle) you can pass in a table value parameter.

If you're using SQL Server 2005, you can use XML to simulate this capability

If you're using something earlier than 2005, you need to concatenate the ids in a single string and create a UDF to parse them.

Answer 3

Depending on how you are processing the input ingredients I think this current method has some sql injection risks.

You could append the ingrediant name to the join conditions which may be quicker.

You could also hash combinations of ingredients for receipes for a quick lookup.