Hi,
This question has bounced around a lot, I know, but how about the following solution:
The Stored Procedure: (pulls the parameters to the other side of dynamic SQL)
create procedure objectFindAdvanced(@whereclause varchar(50), @firstname varchar(50) = NULL, @lastname varchar(50) = NULL, @nickname varchar(50) = NULL) AS
declare @query varchar(8000)
set @query = "declare @firstname varchar(50); declare @lastname varchar(50); declare @nickname varchar(50);"
set @query = @query + "set @firstname = " + @firstname + "; set @lastname = " + @lastname + "; set @nickname = " + @nickname + "; "
set @query = @query + "select ... from table " + @whereclause
exec @query
GO
The WHERE clause:
"(@firstname = 'john') OR (@lastname='doe' AND @nickname='doughboy')"
It's just a thought - it might still be error prone or SqlInjection vulnerable - anyone have comments? Obviously this is different from the GetPaged procedure based on the implementation, and one would hope that it maintains some amount of security, while making complex WHERE clauses possible...
Clynton
-------------------------------------
Member of the .NetTiers team