List:General Discussion« Previous MessageNext Message »
From:Gary Smith Date:March 27 2009 5:59pm
Subject:Search based where claused and stored proc
View as plain text  
I'm working on a small project of re-implementing all of the sql for a web site.  The task
is pretty trivial but overall there are some minor things that I'm trying to code through.

We've moved much of the logic over to stored procs and call them with parameterized
queries.  This works well since there isn't much inject attack possibility on these.  Now
I have one query left, which allows for an arbitrary number of search parameters, all
using AND.  

Has anyone accomplished coverting something like this to a stored proc in mysql?

Logically I could pass in the parameters in as an array of words, or a wordlist to be
broken up inside the proc, but I don't want to spend a bunch of time either reinventing
the wheel or working to a goal that can't be accomplished.

We could build the base query dynamically in the code using standard sql and bind the
parameters to it that way but since we've moved everything else to procs I figured I'd
look into this as well.

BTW, this is a project I brought onto after they found they had a sql injection bug in
there code that was exploited...  
Thread
Search based where claused and stored procGary Smith27 Mar
  • RE: Search based where claused and stored procBen Wiechman27 Mar
    • RE: Search based where claused and stored procMartin Gainty27 Mar
      • RE: Search based where claused and stored procGary Smith27 Mar
        • Re: Search based where claused and stored procArthur Fuller29 Mar