| Subject | Re: [firebird-support] Is there a parameter value of 'don't care' ? |
|---|---|
| Author | PenWin |
| Post date | 2007-01-12T07:54:39Z |
I am still trying to find a solution to this problem myself and still can't
find any that's good:
1) Building queries dynamically is only viable if the application has an
access to the actual tables.
In my application, I can't afford to do that - the application is accessible
from the internet and there's a reasonable assumption that the actual
frontend will be written by other programmers, possibly those who have no
idea about security. To solve that, I am only providing access to some
stored procedures which do the actual work, and dynamic building of queries
has several serious problems (such as "how to escape apostrophes" and the
problem that EXECUTE QUERY would still require that the user had access to
the actual tables).
2) Using several different queries and branching between them according to
the parameter is only usable if you have two or three parameters at most -
the number of required queries grows too quickly.
3) Using queries with conditions such as (NAME=:name OR :name IS NULL) seems
to be the best solution so far, but the problem is that it is very slow.
While the actual time to run a query with (NAME=:name) is negligible (some
0.01 sec), query with the same parameter but condition (NAME=:name OR :name
IS NULL) could very well take as much as three seconds or more. Still, it is
a better solution than the two above.
Pepak
find any that's good:
1) Building queries dynamically is only viable if the application has an
access to the actual tables.
In my application, I can't afford to do that - the application is accessible
from the internet and there's a reasonable assumption that the actual
frontend will be written by other programmers, possibly those who have no
idea about security. To solve that, I am only providing access to some
stored procedures which do the actual work, and dynamic building of queries
has several serious problems (such as "how to escape apostrophes" and the
problem that EXECUTE QUERY would still require that the user had access to
the actual tables).
2) Using several different queries and branching between them according to
the parameter is only usable if you have two or three parameters at most -
the number of required queries grows too quickly.
3) Using queries with conditions such as (NAME=:name OR :name IS NULL) seems
to be the best solution so far, but the problem is that it is very slow.
While the actual time to run a query with (NAME=:name) is negligible (some
0.01 sec), query with the same parameter but condition (NAME=:name OR :name
IS NULL) could very well take as much as three seconds or more. Still, it is
a better solution than the two above.
Pepak