Sort of
I could call it directly but a Line I omitted was a comment of the
actual fields I need returned.
While in design mode of the thrid party product it REQUIRES (as far as
I can tell) a valid dataset to be selected from the SP,
So if the param is blank I do something like
Select ID, FNAME, LNAME FROM CUSTOMERS WHERE SALE_AMT > 1000
Otherwise I exec the param
This way I can actually work with it in design mode.
I am actually parsing the SQL Out for injection and beyond that the
ONLY route to get it in there is behind the scenes.
The product ?
Reporting Services, As long as my query returns ID, FNAME, LNAME in it
I can pass ANY dataset to it I want from my Asp.net application.
I understand than in RS2005 this will be an available option (passing
it a custom select/dataset, but I need it now.
This works slick as can be.
And since my SQL is "Generated" from a Query Builder, the client at no
time has the ability to enter any ad-hoc sql to bang it up, the SQL is
checked for validity before it even get to RS
Thanks as Always
Chris
Erland Sommarskog wrote:
WertmanTheMad (cw******@webchamps.com) writes: I also got it in the other one, I just wasnt seeing it (In the
http://www.sommarskog.se/dyn-search.html arcticle that is)
Many thanks, this simple problem just opened me up to a whole new
and nearly unlimited way of using an already great product, (the 3rd
part one that is :)
CREATE procedure dbo.mytry
@funk nvarchar(4000)
as
print @funk
exec sp_executesql @sql = @funk
Now, if you instead read http://www.sommarskog.se/dynamic_sql.html,
you can see why this is a pretty useless stored procedure.
Yeah, I know that you said that your 3rd party product required you
to use stored procedure, but in that case you can call sp_executesql
directly. And then you can use parameters to it, so that you don't
expose yourself for SQL injection.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se
Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp
