|
Am 12.09.2025 um 15:47 schrieb Charles Wilt <charles.wilt@xxxxxxxxx>:
One last tidbit, don't overly complicate the static statement just to useis a better choice" too far; greatly increasing the difficulty of the
static.
What I mean is having something like so:
exec sql
select <...>
where col1 =
case when :var1 = 0 then col1 else :var1 end
and col2 =
case when :var2 = '' then col2 else :var2 end
<...>
To have "optional" filters or sorting applied. This takes the "static
optimiser's job.
In these cases, dynamic is a better choice.
Definitely true.
The main error, that a lot of people do in this case, is to create the
whole SQL statement in the string, and don't use parameter marker (?) in
dynamic SQL. At least I have seen this very often.
I understand the problem, as you might have changing/variable WHERE
conditions depending on user input - and it gets complicated very fast. So
embedding user input strings into the dynamic SQL statement seems easy and
straightforward.
The problem is then, that when parts of the dynamic SQL statement are
strings from user input, you risk SQL injections:
-> https://xkcd.com/327/
So I have written a piece about avoiding SQL injections with "really"
dynamic SQL statements:
-> https://blog.qpgmr.de/2025/05/24/avoiding-sql-injections.html
So when using dynamic SQL, I really recommend using ? parameter markers
and SQL indicators at least for all CHAR or VARCHAR values. And using the
technique from my blog post, it's only a bit more complicated than
embedding the strings directly.
HTH
Daniel
dan.bale@xxxxxxxxxxxxxxxxxxxxx>On Thu, Sep 11, 2025 at 3:14 PM Dan Bale <
becausewrote:
We have a lot of embedded SQL that uses host variables, e.g.:
Select a, b, c from custmast where c = :hostc;
It has been suggested to me that this can cause performance issues
replacingthe plan cache may need to be "rebuilt"(?), so we should consider
thethese type of queries with dynamic SQL using parameter markers, e.g.
SQLStatement = 'Select a, b, c from custmast where c = ?';
Exec SQL Prepare P1 from :SQLStatement;
Exec SQL Declare C1 cursor for P1;
Exec SQL Open C1 USING :hostc;
Is anyone aware of a resource that describes this in detail? Maybe also
provide test cases that prove performance gains? (Or not?)
- Dan Bale
*** CONFIDENTIALITY NOTICE: The information contained in this
communication may be confidential, and is intended only for the use of
intendedrecipients named above. If the reader of this message is not the
distribution, orrecipient, you are hereby notified that any dissemination,
returncopying of this communication, or any of its contents, is strictly
prohibited. If you have received this communication in error, please
copyit to the sender immediately and delete the original message and any
thisof it from your computer system. If you have any questions concerning
relatedmessage, please contact the sender. ***
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.questions.--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.