3.3 What If You Must Use Dynamic SQL? |
||||
Dynamic SQL may be unavoidable in the following types of situations:
If you must use dynamic SQL, try not to construct it through concatenation of input values. Instead, use bind arguments. If you cannot avoid input concatenation, you must validate input values, and also consider constraining user input to a predefined list of values, preferably numeric values. Lesson 5 addresses input filtering and sanitizing in more detail. |