Kingmoh preaches data science

Introduction to dynamic SQL

Photo by Marten Bjork on Unsplash

Introduction to dynamic SQL

With SQL Server

Rashid Mohammed's photo
Rashid Mohammed
·

6 min read

Table of contents

Introduction

Several RDBMSs for example, PostgreSQL allow you to create a batch of SQL code that can be executed. In this article, I'll explain what Dynamic SQL is. Furthermore, I'll demonstrate its usefulness, and finally, I'll provide an example of how not to use dynamic SQL in SQL Server.


When to use Dynamic SQL

  • Dynamic SQL is very useful in scenarios where the SQL statements that have to be executed by application are unknown at the time of execution.
  • It can also be used for automating administrative tasks like querying metadata and constructing and executing a BACKUP DATABASE statement for each database in an on-prem instance.
  • Dynamic SQL ameliorates the performance of some tasks, for example, by constructing parametrised ad-hoc queries that can benefit from previously cached execution plans.
  • It is also used to construct elements of code based on querying actual data, for example, constructing a PIVOT query dynamically when you don't know ahead of time which elements should appear in the IN clause of the PIVOT operator.


Executing Dynamic SQL

In SQL Server, dynamic SQL can be executed using two commands namely:

  • EXEC
  • sp_executesql

The latter is the preferred command because it is more secure, flexible, and possesses an interface; that is it supports both input and output parameters. Let's take a few examples using both commands. The dataset used in this article can be found by executing the SQL files here.

The EXEC command

USE BikeStores;
GO

-- Declare a variable to reference the sql statement
DECLARE @my_sql AS VARCHAR(500);

-- Create the sql statement
SET @my_sql = '
select order_id, item_id,
  SUM(list_price) over(partition by order_id) as totalListPrice
from sales.order_items
order by order_id 
offset 0 rows fetch first 1 row only;';

-- execute the sql statement 
EXEC(@my_sql);


The sp_executesql Stored Procedure

The ability of sp_executesql to support input and output parameters can improve the security and efficiency of your code. In terms of security, parameters that appear in the code cannot be considered part of the code - they can only be considered operands in expressions. This eliminates your exposure to SQL injection attacks.

sp_executesql can perform better than the EXEC because its parametrisation aids in reusing cached execution plans.

Here's the syntax for using the sp_executesql procedure. All expressions delimited by the square braces are optional.

sp_executesql [ @stmt = ] statement  
[   
  { , [ @params = ] N'@parameter_name data_type [ OUT | OUTPUT ][ ,...n ]' }   
     { , [ @param1 = ] 'value1' [ ,...n ] }  
]

You provide a Unicode character string as the first parameter. You can optionally assign the SQL statement to @stmt variable. Secondly, you provide a Unicode character string holding the declarations of input and output parameters in the second input parameter or you can optionally assign the declarations to the @params variable. Lastly, you specify the assignments of input and output parameters separated by commas. Let's take a few examples.

DECLARE @sql AS NVARCHAR(200);

SET @sql = N'SELECT order_id, customer_id, order_date 
FROM sales.orders 
WHERE order_id = @order_id;';

EXEC sp_executesql 
  @stmt = @sql,
  @params = N'@order_id AS INT',
  @order_id = 1;

This should return the following output

order_id    customer_id     order_date
       1            259     2016-01-01

Here's a more complex example that uses output parameters and the OFFSET-FETCH filter.

-- Declare a variable to reference the sql statement
declare @sql AS NVARCHAR(500);

declare @totalPrice AS FLOAT;

set @sql = N'
select
  @totalPrice = sum(list_price) over(partition by order_id) 
from sales.order_items
where order_id = @my_order_id
order by order_id 
offset 0 rows fetch first 1 row only;
';

exec sp_executesql @sql, N'@my_order_id AS INT, @totalPrice AS FLOAT OUT', @my_order_id = 1, @totalPrice = @totalPrice OUTPUT;

select @totalPrice as totalPrice;

Notice that I didn't use the @stmt or @params.


Typical use case (Advanced)

When pivoting data in SQL Server, you need to know ahead of time which values to specify in the IN clause of the PIVOT operator. For example, run the following code to create a relation and insert some data into it.

IF OBJECT_ID('dbo.Orders', 'U') IS NOT NULL
   DROP TABLE dbo.Orders;


CREATE TABLE dbo.Orders 
(
    orderid INT NOT NULL,
    orderdate DATE NULL,
    empid INT NULL,
    custid VARCHAR(5) NULL,
    qty INT NULL,
    CONSTRAINT PK_Orders PRIMARY KEY(orderid)
);


INSERT INTO dbo.Orders (orderid, orderdate, empid, custid, qty)
VALUES 
    (30001, '20070802', 3, 'A', 10),
    (10001, '20071224', 2, 'A', 12),
    (10005, '20071224', 1, 'B', 20),
    (40001, '20080109', 2, 'A', 40),
    (10006, '20080118', 1, 'C', 14),
    (20001, '20080212', 2, 'B', 12),
    (40005, '20090212', 3, 'A', 10),
    (20002, '20090216', 1, 'C', 20),
    (30003, '20090418', 2, 'B', 15),
    (30004, '20070418', 3, 'C', 22),
    (30007, '20090907', 3, 'D', 30);

Now let's do some pivoting

SELECT empid, A, B, C, D 
FROM (SELECT empid, custid, qty 
      FROM dbo.Orders) AS D 
    PIVOT(SUM(qty) FOR custid IN (A, B, C, D)) AS P

You notice that we needed to specify all the unique custid values. But what if there are too many categories to count? For example what if there are A, B, C, D, E, F,... and so on. We can use dynamic SQL to find all the unique categories and concatenate these categories to an sql batch statement. The example below summaries the total amount spent by each customer since 2016.

-- Summarise the amount spent by each customer since 2016
create view sales.purchased_items_view
as 
select o.customer_id, oi.item_id, oi.list_price, o.order_date from sales.order_items as oi
inner join sales.orders o
  on oi.order_id = o.order_id;

go

-- Pivot the data
select * 
from (select customer_id, year(order_date) as orderyear, list_price
      from sales.purchased_items_view) as D 
pivot (sum(list_price) for orderyear in ([2016], [2017])) as P;

go

The IN clause contains 2016 and 2017, but what if some customers made orders in 2018? Let's try using a cursor and dynamic SQL to find out.

declare 
  @sql       as nvarchar(1000),
  @orderyear as int,
  @first     as int;

declare c cursor fast_forward for 
  select distinct (year(order_date)) as orderyear 
  from sales.purchased_items_view 
  order by orderyear;

-- regulate the addition of commas
set @first = 1;

-- create your batch statement
set @sql = N'
select * 
from (select customer_id, year(order_date) as orderyear, list_price
      from sales.purchased_items_view) as D 
pivot (sum(list_price) for orderyear in (';

open c;

fetch next from c into @orderyear;

while @@fetch_status = 0 
begin 
  if @first = 0
    set @sql = @sql + N','
  else 
    set @first = 0;

  set @sql = @sql + quotename(@orderyear);

  fetch next from c into @orderyear;
end

close c;

deallocate c;

set @sql = @sql + N')) as p;';

exec sp_executesql @sql;

We can see that in fact, some customers purchased some items in 2018.


How NOT to use Dynamic SQL

Additional parameters specified in the sp_executesql procedure must contain only constants or variables. The values cannot be more complex expressions such as functions, or expressions built by using operators. For example, this will not work

declare @sql as nvarchar(100) = N'select * from @table_name';
exec sp_executesql @sql, N'@table_name as nvarchar', @table_name=N'sales.orders';

You get slammed by the following error.

Msg 1087, Level 16, State 1, Line 1
Must declare the table variable "@table_name".


Conclusion

In this article, I talked about dynamic SQL and the different ways to run dynamic SQL statements. I highlighted the use of the EXEC statement and the sp_executesql stored procedure. I provided a real-world use case of the dynamic SQL with the PIVOT operator, and lastly, I demonstrated how not to use dynamic SQL.

SQLSQL ServerDatabases