Hello,
I would like to check if there is a preferred design pattern for implementing search functionality with multiple optional parameters against database table where the access to the database should be only via stored procedures.
The targeted platform is .Net with SQL 2005, 2008 backend, but I think this is pretty generic problem.
For example, we have customer table and we want to provide search functionality to the UI for different parameters, like customer Type, customer State, customer Zip, etc., and all of them are optional and can be selected in any combinations. In other words, the user can search by customerType only or by customerType, customerZIp or any other possible combinations.
There are several available design approaches, but all of them have some disadvantages and I would like to ask if there is a preferred design among them or if there is another approach.
Generate sql where clause sql statement dynamically in the business tier, based on the search request from the UI, and pass it to a stored procedure as parameter. Something like @Where = ‘where CustomerZip = 111111’
Inside the stored procedure generate dynamic sql statement and execute it with sp_executesql.
Disadvantage: dynamic sql, sql injection
Implement a stored procedure with multiple input parameters, representing the search fields from the UI, and use the following construction for selecting the records only for the requested fields in the where statement.
WHERE
(CustomerType = @CustomerType OR @CustomerType is null )
AND (CustomerZip = @CustomerZip OR @CustomerZip is null )
AND …………………………………………
Disadvantage: possible performance issue for the sql.
3.Implement separate stored procedure for each search parameter combinations.
Disadvantage: The number of stored procedures will increase rapidly with the increase of the search parameters, repeated code.
