sql_variant parameters and Dynamic SQL

Let’s start off by saying that this article is not a recommendation to use sql_variant as a data type. There are many articles, written by far more reputable people, that have explained why sql_variant isn’t a good choice of a data type. Saying that, however, if you are using dynamic SQL then yes you could pass one as a parameter to have that dynamic statement correctly cast that parameter to the correct data type. For a "catch all" query, where you are passing a both a dynamic column and value that could have different data types this permits you to…

Continue reading

Moving to Markdown

Sorry I haven’t posted in awhile. I’ve been working on changing the website to support Markdown, while trying to keep the custom formatting I have added to Prism.js for things like my code blocks (using Cascadia Code font and the additional buttons), and being able to continue to do some more non-standard Markdown stuff like giving my headers an id value so that I can link to the directly. I’ve finally managed to get this mainly working now, where the appearance of new posts won’t look strikingly different. The only real visual changes are that inline code blocks (like this)…

Continue reading

An in-depth look at injecting

Injecting into SQL is something I have covered multiple times, but today I wanted to cover it a bit more in full to touch on why doing it incorrectly is a problem, and also the different ways to inject properly. Some of this will definitely be repetition of stuff I’ve said before, but having I felt that having it in one article isn’t a bad thing. When SQL Injection goes wrong The biggest problem with injecting is doing it incorrectly, and thus opening your instance up to SQL injection attacks. For those of you that you that don’t know what…

Continue reading

Fundamentals: varchar is NOT a one size fits all data type

A common, and fatal, mistake I often see is the use of varchar/nvarchar being used for data that should be stored in a data type more appropriate; for example a date and time value. Storing data in a (n)varchar when it should be stored in a far more appropriate data type can have disastrous consequences for both the performance of your queries and the behaviour, as well as making tasks that seem like they should be simple far more difficult. The most common data type I see stored in the wrong data type is date (and time) data; normally because…

Continue reading

Getting to grips with Dynamic SQL: Debugging

Something that many find difficult with Dynamic SQL is debugging it. When looking at a batch that creates and executes a dynamic statement it can be daunting to understand where exactly the error is happening, or even where the SQL that is generating the error is coming from, as it might be a value that was injected, rather than part of the literal strings. I’ve touched on this before, but to reiterative Formatting is Important. That doesn’t just mean with your statements that are creating the dynamic SQL, it means ensuring that the dynamic SQL you create is well formatted…

Continue reading