What is dynamic SQL?

Question

I just asked an SQL related question, and the first answer was: \"This is a situation where dynamic SQL is the way to go.\"

As I had never heard of

Answer 1

Dynamic SQL is simply a SQL statement that is composed on the fly before being executed. For example, the following C# (using a parameterized query):

var command = new SqlCommand("select * from myTable where id = @someId");
command.Parameters.Add(new SqlParameter("@someId", idValue));

Could be re-written using dynamic sql as:

var command = new SqlCommand("select * from myTable where id = " + idValue);

Keep in mind, though, that Dynamic SQL is dangerous since it readily allows for SQL Injection attacks.

Answer 2

Dynamic SQL is merely where the query has been built on the fly - with some vendors, you can build up the text of the dynamic query within one stored procedure, and then execute the generated SQL. In other cases, the term merely refers to a decision made by code on the client (this is at least vendor neutral)

Answer 3

Rowland is correct, and as an addendum, unless you're properly using parameters (versus just concatonating parameter values inline from provided text, etc.) it can also be a security risk. It's also a bear to debug, etc.

Lastly, whenever you use dynamic SQL unwisely, things are unleashed and children are eaten.

Answer 4

Other answers have defined what dynamic SQL is, but I didn't see any other answers that attempted to describe why we sometimes need to use it. (My experience is SQL Server, but I think other products are generally similar in this respect.)

Dynamic SQL is useful when you are replacing parts of a query that can't be replaced using other methods.

For example, every time you call a query like:

SELECT OrderID, OrderDate, TotalPrice FROM Orders WHERE CustomerID = ?? 

you will be passing in a different value for CustomerID. This is the simplest case, and one that can by solved using a parameterized query, or a stored procedure that accepts a parameter, etc.

Generally speaking, dynamic SQL should be avoided in favor of parameterized queries, for performance and security reasons. (Although the performance difference probably varies quite a bit between vendors, and perhaps even between product versions, or even server configuration).

Other queries are possible to do using parameters, but might be simpler as dynamic SQL:

SELECT OrderID, OrderDate, TotalPrice FROM Orders 
WHERE CustomerID IN (??,??,??)

If you always had 3 values, this is as easy as the first one. But what if this is a variable-length list? Its possible to do with parameters, but can be very difficult. How about:

SELECT OrderID, OrderDate, TotalPrice FROM Orders WHERE CustomerID = ??
ORDER BY ??

This can't be substituted directly, you can do it with a huge complicated CASE statement in the ORDER BY explicitly listing all possible fields, which may or may not be practical, depending on the number of fields available to sort by.

Finally, some queries simply CAN'T be done using any other method.

Let's say you have a bunch of Orders tables (not saying this is great design), but you might find yourself hoping you can do something like:

SELECT OrderID, OrderDate, TotalPrice FROM ?? WHERE CustomerID = ??

This can't be done using any other methods. In my environment, I frequently encounter queries like:

SELECT (programatically built list of fields)
FROM table1 INNER JOIN table2
(Optional INNER JOIN to table3)
WHERE (condition1)
AND (long list of other optional WHERE clauses)

Again, not saying that this is necessarily great design, but dynamic SQL is pretty much required for these types of queries.

Hope this helps.

Answer 5

It is exactly what Rowland mentioned. To elaborate on that a bit, take the following SQL:

Select * from table1 where id = 1

I am not sure which language you are using to connect to the database, but if I were to use C#, an example of a dynamic SQL query would be something like this:

string sqlCmd = "Select * from table1 where id = " + userid;

You want to avoid using dynamic SQL, because it becomes a bit cumbersome to keep integrity of the code if the query get too big. Also, very important, dynamic SQL is susceptible to SQL injection attacks.

A better way of writing the above statement would be to use parameters, if you are using SQL Server.

Answer 6

Is it something vendor specific?

The SQL-92 Standard has a whole chapter on dynamic SQL (chapter 17) but it only applies to FULL SQL-92 and I know of no vendor that has implemented it.