> Another possible approach. Have you considered using views? Your
> concern seems to be for security, but in one sense allowing the user
> to control arbitrary parts of your query opens you up to SQL injection
> attacks.

That's precisely why I only allow access to data through stored procedures
and not tables or views - because I can't be sure the application layer will
be written correctly (it is "semi-open", any legitimate user may change it
if he wishes to do so). Views would reveal more information than I am
willing to give (because I would have to return all possible fields, while
with a procedure I can choose which fields to return based on e.g.
application settings or user rights).

> When used in a query, the view is also prepared using any available
> underlying table index, so you may well find it to be faster.

I thought the same is true for SELECTs in procedures. Isn't it?

Pepak