Re: Query: Using dynamic XQuery expressions (urgent)
- From: "Michael Rys [MSFT]" <mrys@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 18 Nov 2005 12:48:23 -0800
In general, when you do not know the complexity of the XQuery, you will need
to use sp_executesql. Note that you will have to mediate against SQL and
XQuery injection attacks if you provide external access to the query
parameterization in any case...
Best regards
Michael
"Michael Rys [MSFT]" <mrys@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:uohwK$H7FHA.808@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Narenda and Kent
>
> Cleaning up Kent's second solution, you can write:
>
> declare @NodeToRead varchar(150)
>
> set @NodeToRead = 'City'
>
> declare @xml xml
>
> set @xml = '<ApplicationRequest>
>
> <DataObject>
>
> <City>
>
> <CityId>1</CityId>
>
> <Name>Pune</Name>
>
> </City>
>
> </DataObject>
>
> </ApplicationRequest>'
>
> select @xml.value('(for $node in (/ApplicationRequest/DataObject/*)
>
> where (local-name($node) = sql:variable("@NodeToRead"))
>
> return ($node/Name))[1]','nvarchar(max)')
>
>
>
> or rewrite the query to the shorter XPath expression
>
> select @xml.value('(/ApplicationRequest/DataObject/*[local-name() =
> sql:variable("@NodeToRead")]/Name)[1]','nvarchar(max)')
>
>
>
> In general, we have seen use cases for parameterizing the query methods
> with a string value. However there are some security issues to consider.
>
> I would appreciate if you can send your feature request through the MSDN
> Feedback center or send a mail to sqlwish (at) microsoft (dot) com. That
> way, the powers that keep track of customer feedback will see this issue
> appear and other people can vote on it (in the feedback center).
>
> Best regards
>
> Michael
>
> "Kent Tegels" <ktegels@xxxxxxxxxxx> wrote in message
> news:b87ad74ed978c7ba3ca6cda530@xxxxxxxxxxxxxxxxxxxxx
>> Hello Narendra,
>>
>> Remember that the XQuery expression itself must be a string literally.
>> Now, yes, there are constructors, but those don't seem to work in the
>> where predicate where we'd want them to do for this. Here's the closest I
>> could come with quickly:
>>
>> declare @NodeToRead varchar(150)
>> set @NodeToRead = 'City'
>> declare @query nvarchar(max)
>>
>> set @query = '
>> declare @xml xml
>> set @xml = ''<ApplicationRequest>
>> <DataObject>
>> <City>
>> <CityId>1</CityId>
>> <Name>Pune</Name>
>> </City>
>> </DataObject>
>> </ApplicationRequest>''
>> select @xml.value(''(for $node in (/ApplicationRequest/DataObject/*)
>> where (local-name($node) = "' + @NodeToRead + '")
>> return ($node/Name))[1]'',''nvarchar(max)'')'
>>
>> exec sp_executesql @stmt=@query
>>
>> BLECH!
>>
>> This would be nicer if it worked...
>>
>> declare @NodeToRead varchar(150)
>> set @NodeToRead = 'City'
>> declare @xml xml
>> set @xml = '<ApplicationRequest>
>> <DataObject>
>> <City>
>> <CityId>1</CityId>
>> <Name>Pune</Name>
>> </City>
>> </DataObject>
>> </ApplicationRequest>'
>> select @xml.value('(for $node in (/ApplicationRequest/DataObject/*)
>> where (local-name($node) = "{sql:variable("@NodeToRead")}")
>> return ($node/Name))[1]','nvarchar(max)')
>>
>> I've forwarded this up to MRys as a suggestion for the next release...
>>
>> Thank you,
>> Kent Tegels
>> DevelopMentor
>> http://staff.develop.com/ktegels/
>>
>>
>
>
.
- References:
- Query: Using dynamic XQuery expressions (urgent)
- From: Narendra
- Re: Query: Using dynamic XQuery expressions (urgent)
- From: Kent Tegels
- Re: Query: Using dynamic XQuery expressions (urgent)
- From: Michael Rys [MSFT]
- Query: Using dynamic XQuery expressions (urgent)
- Prev by Date: Re: Query: Using dynamic XQuery expressions (urgent)
- Next by Date: Re: xml-dml insert element with an attribute containig sql:variable
- Previous by thread: Re: Query: Using dynamic XQuery expressions (urgent)
- Next by thread: Re: Query: Using dynamic XQuery expressions (urgent)
- Index(es):
Relevant Pages
|
Loading
