Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-1

Module 9
Using Advanced Techniques
Contents:
Lesson 1: Considerations for Querying Data Lesson 2: Working with Data Types Lesson 3: Cursors and Set-Based Queries Lesson 4: Dynamic SQL Lesson 5: Maintaining Query Files Lab: Using Advanced Techniques 9-3 9-13 9-23 9-33 9-39 9-42

9-2

Using Advanced Techniques

Module Overview

This module provides you with the skills and knowledge about advanced querying techniques in Microsoft SQL Server 2008. This course provides information about the best practices you should follow when querying complex data that involves date/time data, and how to work with the hierarchyid data type. You will learn how to use cursors and set-based queries, as well as dynamic SQL. In addition, you will examine how to use Microsoft Team Foundation Server for managing query source files.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-3

Lesson 1

Considerations for Querying Data

Because there are often many ways to query for the same data, you need to understand how SQL Server processes queries using execution plans to help identify the most efficient query methods for a given situation. Also, when querying data, you need to understand how data type conversion works, as well as. the order of precedence of data types.

9-4

Using Advanced Techniques

Execution Plans

Key Points
Execution plans graphically display the data retrieval methods chosen by the SQL Server query optimizer. Execution plans represent the execution cost of specific statements and queries in SQL Server using icons. To use the graphical execution plan feature in Management Studio, and to use the Showplan Transact-SQL SET statement options, users must have sufficient permissions to execute the Transact-SQL statements and queries. Users must also be granted the SHOWPLAN permission for all databases containing referenced objects. The graphical execution plan output in SQL Server Management Studio is read from right to left and from top to bottom. Each query in the batch that is analyzed is displayed, including the cost of each query as a percentage of the total cost of the batch.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-5

Note: For more information about the icons used to display execution plans in Management Studio, see the topic Graphical Execution Plan Icons (SQL Server Management Studio) in SQL Server Books Online.

Question: Why would you want to view the Estimated Execution Plan?

9-6

Using Advanced Techniques

Demonstration: Using Execution Plans

Question: What do you need to do in order to be able to view the Actual Execution Plan?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-7

Data Type Conversions

Key Points
Data types can be converted in the following scenarios: When data from one object is moved to, compared with, or combined with data from another object, the data may have to be converted from the data type of one object to the data type of the other. When data from a Transact-SQL result column, return code, or output parameter is moved into a program variable, the data must be converted from the SQL Server system data type to the data type of the variable.

Implicit conversions are not visible to the user. SQL Server automatically converts the data from one data type to another. For example, when a smallint is compared to an int, the smallint is implicitly converted to int before the comparison proceeds.

9-8

Using Advanced Techniques

Explicit conversions use the CAST or CONVERT functions. The CAST and CONVERT functions convert a value (a local variable, a column, or another expression) from one data type to another. For example, the following CAST function converts the numeric value of $157.27 into a character string of '157.27':
CAST ( $157.27 AS VARCHAR(10) )

Note: Not all data type conversions are allowed. For a chart of allowed implicit and explicit conversions, see the topic CAST and CONVERT (Transact-SQL) in SQL Server Books Online.

Question: What are some examples of operations that can result in data conversion?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-9

Implicit Conversions

Key Points
Implicit conversions occur whenever two different data types are operated upon together without the use of CAST or CONVERT. In the code sample above, the variable @firstname is a char data type. The FirstName field in the Person.Person table is an nvarchar data type. In this case, char has a lower precedence than nvarchar, so the @firstname variable is converted to nvarchar for comparison, as the execution plan shows. Data type precedence is covered shortly. Question: When would you want to avoid implicit conversions?

9-10

Using Advanced Techniques

Explicit Conversions with CAST and CONVERT

Key Points
CAST and CONVERT explicitly convert one data type to another, with slightly different syntaxes. CONVERT is SQL Server specific and includes additional styles for converting date/time data. Use CAST instead of CONVERT if you want Transact-SQL program code to comply with ISO. Use CONVERT instead of CAST to take advantage of the style functionality in CONVERT.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-11

Data Type Precedence

Key Points
When an operator combines two expressions of different data types, the rules for data type precedence specify that the data type with the lower precedence is converted to the data type with the higher precedence. If the conversion is not a supported implicit conversion, an error is returned. When both operand expressions have the same data type, the result of the operation has that data type. In the code sample above, the first statement fails because int has higher precedence than varchar. The string 'Page Number' cannot be converted to int, so an explicit conversion of the @pageno variable to varchar is required for the statement to succeed and produce the correct output.
Note: For a complete list of data type precedence, see the topic Data Type Precedence (Transact-SQL) in SQL Server Books Online.

Question: Can you think of other scenarios where data type precedence might cause problems for implicit conversions?

9-12

Using Advanced Techniques

Demonstration: Understanding Data Type Conversion

Question: How can implicit data type conversions cause unexpected results on queries that run successfully?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-13

Lesson 2

Working with Data Types

With the introduction of new date/time data types in SQL Server 2008, you need to know how to work with these data types in order to make sure your time/date data is correct in the database and in reports. Another new data type, hierachyid, can help organize hierarchical data in your databases.

9-14

Using Advanced Techniques

Recommendations for Querying Date/Time Data

Key Points
In SQL Server, there are six built-in data types to store date and time data: time, date, smalldatetime, datetime, datetime2, and datetimeoffset. The smalldatetime, datetime and datetime2 data types store both date and time data. The datetimeoffset data type also stores both date and time data, but is timezone aware for specifying the offset from a time or datetime value. The time and date data types store only time and only date data, respectively. If you specify only the date part when inserting data to smalldatetime, datetime, or datetime2 column, then SQL Server stores a zero value in the time part. If you specify only the time part, then SQL Server stores 1900-01-01 in the date part. Because the date and time values are stored together in those data types, some unexpected problems might occur.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-15

The following table summarizes the key differences between the different date and time data types:
Userdefined Storage fractional Time size second zone (bytes) precision offset Yes No

Data type time

Format

Range

Accuracy

hh:mm:ss[.nnnnnnn] 00:00:00.0000000 100 3 to 5 through nanoseconds 23:59:59.9999999 YYYY-MM-DD 0001-01-01 through 999912-31 1900-01-01 through 207906-06 1753-01-01 through 999912-31 1 day 3

date

No

No

smalldatetime

YYYY-MM-DD hh:mm:ss

1 minute

No

No

datetime

YYYY-MM-DD hh:mm:ss[.nnn]

0.00333 second

No

No

datetime2

YYYY-MM-DD 0001-01-01 100 6 to 8 hh:mm:ss[.nnnnnnn] 00:00:00.0000000 nanoseconds through 999912-31 23:59:59.9999999

Yes

No

datetimeoffset YYYY-MM-DD 0001-01-01 100 8 to 10 hh:mm:ss[.nnnnnnn] 00:00:00.0000000 nanoseconds [+|-]hh:mm through 999912-31 23:59:59.9999999 (in UTC)

Yes

Yes

9-16

Using Advanced Techniques

Recommendations for Inserting Date/Time Data

Key Points
When inserting date/time values into tables or views, you need to ensure that the format and the language settings of the date/time data types are correct. It is recommended that you use language-independent formats, rather than languagedependent formats because they are portable across languages. It is not recommended that you use language-dependent formats even with SET statements. You can also set SQL Server to use the ISOdatetime format. In the ISO format, the datetime values are represented as yyyymmdd [hh:mm:ss] or yyyy-mmddThh:mm:ss. The ISO dateformat is always guaranteed to work irrespective of the LANGUAGE or DATEFORMAT setting.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-17

Demonstration: Working with Date/Time Data

Question: What happens when you insert data containing only a date or only a time into a column that holds date and time data?

9-18

Using Advanced Techniques

Implementing the hierarchyid Data Type

Key Points
Hierarchical data is defined as a set of data items that are related to each other by hierarchical relationships. Hierarchical relationships are where one item of data is the parent of another item. Hierarchical data is common in databases. Examples include the following: An organizational structure A file system A set of tasks in a project A taxonomy of language terms A graph of links between Web pages

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-19

The hierarchyid data type makes it easier to store and query hierarchical data. hierarchyid is optimized for representing trees, which are the most common type of hierarchical data. The hierarchyid data type can be used to replace recursive common table expressions (CTEs) which are frequently used to generate hierarchical representations of database data. The code sample shows how to create a table that implements the hierarchyid data type on the EmployeeID column for organizing employees in the database in a hierarchy. Question: Can you think of a scenario where using hierarchical data might be useful?

9-20

Using Advanced Techniques

Working with Hierarchies

Key Points
A hierarchy needs an indexing strategy. There are two indexing strategies supported: Depth-first: A depth-first index, rows in a sub-tree are stored near each other. For example, all employees that report through a manager are stored near their managers record. This is represented in the code sample on the left. Breadth-first: A breadth-first stores the rows each level of the hierarchy together. For example, the records of employees who directly report to the same manager are stored near each other. This is represented by the code sample on the right.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-21

You can perform a number of operations on nodes within the hierarchy. You can query to get nodes above or below a point on the tree, move nodes from one parent to another, and add and remove nodes using the methods supplied with the hierarchyid data type.
Note: For a complete list and description of methods available for working with hierarchies, see the topic hierarchyid Data Type Method Reference in SQL Server Books Online.

9-22

Using Advanced Techniques

Demonstration: Using the hierarchyid Data Type

Question: What is the difference between the GetDescendant and GetAncestor methods?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-23

Lesson 3

Cursors and Set-Based Queries

When querying data, the set of rows returned from a query is called the result set. Cursors allow you to perform operations on the result set on a row-by-row basis. Set-based logic, or a set-based approach, deals with the result set as a whole or parts instead of individual rows of data.

9-24

Using Advanced Techniques

Understanding Cursors

Key Points
Operations in a relational database act on a complete set of rows. The set of rows returned by a SELECT statement consists of all the rows that satisfy the conditions in the WHERE clause of the statement. This complete set of rows returned by the statement is known as the result set. Applications, especially interactive online applications, cannot always work effectively with the entire result set as a unit. These applications need a mechanism to work with one row or a small block of rows at a time. Cursors are an extension to result sets that provide that mechanism. Cursors extend result processing by: Allowing positioning at specific rows of the result set. Retrieving one row or block of rows from the current position in the result set. Supporting data modifications to the rows at the current position in the result set.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-25

Supporting different levels of visibility to changes made by other users to the database data that is presented in the result set. Providing Transact-SQL statements in scripts, stored procedures, and triggers access to the data in a result set.

Question: Can you think of a scenario where a cursor might prove useful?

9-26

Using Advanced Techniques

Cursor Implementations

Key Points
SQL Server supports three cursor implementations. Transact-SQL cursors Are based on the DECLARE CURSOR syntax and are used mainly in TransactSQL scripts, stored procedures, and triggers. Transact-SQL cursors are implemented on the server and are managed by Transact-SQL statements sent from the client to the server. They may also be contained in batches, stored procedures, or triggers. Application programming interface (API) server cursors Support the API cursor functions in OLE DB and ODBC. API server cursors are implemented on the server. Each time a client application calls an API cursor function, the SQL Server Native Client OLE DB provider or ODBC driver transmits the request to the server for action against the API server cursor.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-27

Client cursors Are implemented internally by the SQL Server Native Client ODBC driver and by the DLL that implements the ADO API. Client cursors are implemented by caching all the result set rows on the client. Each time a client application calls an API cursor function, the SQL Server Native Client ODBC driver or the ADO DLL performs the cursor operation on the result set rows cached on the client.

Note: Because Transact-SQL cursors and API server cursors are implemented on the server, they are referred to collectively as server cursors.

9-28

Using Advanced Techniques

Using Cursors

Key Points
Transact-SQL cursors and API cursors have different syntax, but the following general process is used with all SQL Server cursors: Associate a cursor with the result set of a Transact-SQL statement, and define characteristics of the cursor, such as whether the rows in the cursor can be updated. Execute the Transact-SQL statement to populate the cursor. Retrieve the rows in the cursor you want to see. The operation to retrieve one row or one block of rows from a cursor is called a fetch. Performing a series of fetches to retrieve rows in either a forward or backward direction is called scrolling. Optionally, perform modification operations (update or delete) on the row at the current position in the cursor. Close the cursor.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-29

When you are completely finished with a cursor, you must also deallocate the resources using the DEALLOCATE command. Closing a cursor releases locks, but SQL Server resources will be held until a cursor is deallocated.

9-30

Using Advanced Techniques

Demonstration: Working with Cursors

Question: How do you specify that a cursor should be read only?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-31

Understanding Set-Based Logic

Key Points
While cursors allow a procedural approach to working with data by handling the data row-by-row, set-based logic, or a set-based approach to handling SQL Server data is inherent to SQL Server. Using a set-based approach to querying data, you are able to manipulate the entire result set as a whole. When using set-based logic, you allow SQL Server to determine the most efficient way to retrieve and manipulate the result set.

9-32

Using Advanced Techniques

Demonstration: Using Set-Based Queries

Question: Why is it recommended to rewrite cursors as set-based queries?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-33

Lesson 4

Dynamic SQL

Although static SQL works well in many situations, there are some applications in which the data access cannot be determined in advance. To solve this problem, an application can use a form of embedded SQL called dynamic SQL. Unlike static SQL statements, which are hard-coded in the program, dynamic SQL statements can be built at run time and placed in a string host variable. They are then sent to SQL Server for processing.

9-34

Using Advanced Techniques

Introducing Dynamic SQL

Key Points
Dynamic SQL allows a T-SQL query to be built using variables and strings, then executed as a string using two available methods, which you will learn about shortly. Dynamic SQL can be useful in applications where forms with optional fields may be filled out and submitted. You can use the contents of the optional fields that have been filled out to create WHERE clauses to help return more relevant results. In the code sample above, a variable called @SQLString is populated with a SELECT statement. The @SQLString variable can then be passed to one of two commands for execution. Question: Can you think of a scenario where dynamic SQL might be useful?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-35

Using Dynamic SQL

Key Points
There are two methods for executing dynamic SQL statements, sp_executesql and EXECUTE. sp_executesql is a system stored procedure that takes the dynamic SQL statement as a parameter and executes it. It can take additional parameters as well. EXECUTE can also execute dynamic SQL strings, and has a different syntax than sp_executesql.

Question: Why choose one method of dynamic SQL execution over the other?

9-36

Using Advanced Techniques

Considerations for Using Dynamic SQL

Key Points
There are some important things to consider when using dynamic SQL: SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Dynamic SQL can be prone to SQL injection attacks if strings are not validated before they are executed. Security is checked for every object involved in a dynamic SQL statement. This means that you may have to give more permissions on underlying database objects than you would with a stored procedure. A user with permission to execute a stored procedure does not need permissions on the underlying database objects, but a user who executed a dynamic SQL statement against those same tables must have permissions on them. Because of the nature of dynamic SQL, it is less likely to generate execution plans that can be cached and reused than static SQL. This can have an impact on query performance using dynamic SQL.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-37

Using sp_executesql can help SQL Server reuse execution plans when the only variation is in the parameter values supplied to the Transact-SQL statement. Because the Transact-SQL statements themselves remain constant and only the parameter values change, the SQL Server query optimizer is likely to reuse the execution plan it generates for the first execution. Because dynamic SQL statements are generally unlikely to generate reusable execution plans, their performance is related directly to the complexity of the query you build. When possible, try to reduce the complexity of any dynamic SQL queries you use.

Question: Why is SQL injection so dangerous?

9-38

Using Advanced Techniques

Demonstration: Using Dynamic SQL

Question: What role do variables play in dynamic SQL?

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-39

Lesson 5

Maintaining Query Files

When you have many developers working on a SQL Server project, you want to have a historical record of versions of projects and files, or you want to ensure that you have a central repository for all your SQL Server projects, you may want to implement a versioning and source control system.

9-40

Using Advanced Techniques

What Are Versioning and Source Control?

Key Points
When you work in teams, you need to enable the parallel development of projects by team members. However, when team members work with the same file, they need to reconcile conflicts between the different versions of the file and avoid the potential loss of valuable changes. In such situations, you require software such as Microsoft Visual SourceSafe or Team Foundation Server for source control and version management.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-41

Features of Team Foundation Server 2008

Key Points
Team Foundation Server (TFS) 2008 provides source control and versioning capabilities. TFS will supports a Microsoft SQL Server 2005 back end, and will support SQL Server 2008 for a back end when SQL Server 2008 and Team Foundation Server SP1 reach RTM.

9-42

Using Advanced Techniques

Lab 9: Using Advanced Techniques

Exercise 1: Using Execution Plans

Scenario
You are a Database Administrator at Adventure Works. As part of an effort to analyze database performance, the Senior Database Administrator has asked you to become familiar with query execution plans. In order to do this, you need to know how to view estimated and actual execution plans, as well as save execution plans and view them in XML format. The main tasks for this exercise are as follows: 1. 2. 3. 4. Start the 2778A-NY-SQL-01 virtual machine and log on as Administrator. View an estimated execution plan. View an actual execution plan. Save an execution plan.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-43

Task 1: Start the 2778A-NY-SQL-01 virtual machine and log on as Administrator

Start NY-SQL-01 and log on as Administrator with a password of Pa$$w0rd.

Task 2: View an estimated execution plan

Use SQL Server Management Studio to open the file E:\Mod09\Labfiles\Starter\Exercise01\Order-ProductID.sql. Display the Estimated Execution Plan. Review the components of the execution plan.

Task 3: View an actual execution plan

Set the query to include the Actual Execution Plan. Run the query. Review the components of the execution plan.

Task 4: Save an execution plan

Save the execution plan as a .sqlplan file to E:\Mod09\Labfiles\Starter\Exercise01\Order-ProductID.sqlplan. View the XML code for the execution plan and save it to E:\Mod09\Labfiles\Starter\Exercise01\Order-ProductID.xml.
Results: After this exercise, you should have viewed estimated and actual execution plans for queries, and saved the execution plans to files.

9-44

Using Advanced Techniques

Exercise 2: Converting Data Types

Scenario
Some application queries have been producing unexpected results. The Senior Database Administrator suspects that some of the problems may be due to incorrect data type conversion. The Senior DBA has asked you to spend some time learning about data type conversion so that you can help resolve these problems. The main tasks for this exercise are as follows: 1. 2. Use implicit conversions. Use explicit conversions.

Task 1: Use implicit conversions

Use SQL Server Management Studio to look up the data type for the SalariedFlag column in the HumanResources.Employee table in the AdventureWorks2008 database. Create a new query on the AdventureWorks2008 database with the following code:
SELECT NationalIDNumber, LoginID, SalariedFlag FROM HumanResources.Employee WHERE SalariedFlag = 'False'

Review the Results pane. SQL Server automatically converted "False" to a data type of bit to compare it to the SalariedFlag column. Look up the data types for the ListPrice and StandardCost columns in the Production.Product table. Create a new query on the AdventureWorks2008 database with the following code:
DECLARE @NewListPrice nvarchar(10) = '39.99' DECLARE @NewStandardCost float = 12.45 UPDATE Production.Product SET ListPrice = @NewListPrice, StandardCost = @NewStandardCost WHERE ProductID = '2'

Run the query.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-45

Create a new query on the AdventureWorks2008 database with the following code:
SELECT Name, StandardCost, ListPrice from Production.Product WHERE ProductID = '2'

Run the query. In the results pane, notice that the ListPrice and StandardCost columns have been updated. SQL Server automatically converted the nvarchar and float types in the update query to the money data type used by the columns. Open the file E:\Mod09\Labfiles\Starter\Exercise02\UpdateDemographics.sql. Notice that the variable @NewDemographics is an nvarchar data type and contains a valid XML string. Run the query. Create a new query on the AdventureWorks2008 database with the following code:
SELECT FirstName, MiddleName, LastName, Demographics FROM Person.Person WHERE BusinessEntityID = 15

Run the query. In the Results pane, click the link in the Demographics column. SQL Server converted the nvarchar string to the xml data type automatically because the XML was valid.

Task 2: Use explicit conversions

Open the file E:\Mod09\Labfiles\Starter\Exercise02\EmployeePayRate.sql. Run the query and take note of the error message. Change the line of the query that begins with SELECT, so that it reads as follows:
SELECT (p.FirstName + ' ' + p.LastName + ' ' + CONVERT(nvarchar, s.Rate))

9-46

Using Advanced Techniques

Run the query. In the Results pane, there is a single column with the employee name and pay rate combined. Open the file E:\Mod09\Labfiles\Starter\Exercise02\PayRateLastChange.sql. Run the query. Review the results of the query. Notice that the last column does not show both the pay rate and date. In the query pane, modify the SELECT statement so that it begins as follows:
SELECT p.FirstName, p.LastName, (CAST(s.Rate AS nvarchar) + ' ' + s.RateChangeDate)

Run the query, and take note of the error message. Modify the SELECT statement again, so that it reads as follows:
SELECT p.FirstName, p.LastName, (CAST(s.Rate AS nvarchar) + ' ' + CAST(s.RateChangeDate as nvarchar))

Run the query. Notice that the query now runs and the last column displays the correct information.
Results: After this exercise, you should have verified that SQL Server automatically performs implicit conversions, and you should have also successfully run queries that performed explicit data type conversions.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-47

Exercise 3: Implementing a Hierarchy

Scenario
The Sales department at Adventure Works is reorganizing its sales territories to reflect the organizations hierarchy. In order to represent the hierarchical structure of the sales territories, you have decided to create a new table in the database and implement the hierarchy using the hierarchyid data type. The main tasks for this exercise are as follows: 1. 2. Create a hierarchy. Query a hierarchy.

Task 1: Create a hierarchy

Open the Project E:\Mod09\Labfiles\Starter\Exercise03\SalesTerritory\SalesTerritory.ssm ssln. In Solution Explorer, open the CreateTerritoryTable.sql file. Review and then run the query. In Solution Explorer, open the CreateTableIndex.sql file. Review and then run the query. In Solution Explorer, open the InsertRootTerritory.sql file. Review and then run the query. In Solution Explorer, open the InsertChildTerritory.sql file. Review and then run the query. In Solution Explorer, open the CreateTerritorySP.sql file. Review and then run the query. In Solution Explorer, open the PopulateTerritoryTable.sql file. Review and then run the query.

9-48

Using Advanced Techniques

Task 2: Query a hierarchy

In Solution Explorer, open the GetTerritoryOrg.sql file. Review and then run the query. Review the Results to see how the nodes in the hierarchy relate to one another. Pay particular attention to the Text_OrgNode, OrgNode, and OrgLevel columns.
Results: After this exercise, you should have created a table for the Sales department hierarchy and populated it.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-49

Exercise 4: Using Cursors and Set-Based Queries

Scenario
You are working with a test copy of the AdventureWorks2008 database that has no pricing data in the Production.Product table. You need to populate both the ListPrice and StandardCost fields of the table, and have decided use a cursor to update ListPrice data and use a set-based query to update StandardCost data to see how the two approaches compare. The main tasks for this exercise are as follows: 1. 2. Update the ListPrice column. Update the StandardCost column.

Task 1: Update the ListPrice column

Create a new query on the AdventureWorks2008 database with the following code:
SELECT ProductID, Name, StandardCost, ListPrice FROM Production.Product

Review the StandardCost and ListPrice columns in the Results pane. Keep this query pane open. Open the E:\Mod09\Labfiles\Starter\Exercise04\UpdateListPriceCursor.sql file. Review and execute the query. When the update is complete, run the SELECT query again. Review the ListPrice column in the Results pane. The ListPrice column has been updated.

9-50

Using Advanced Techniques

Task 2: Update the StandardCost column

Create a new query on the AdventureWorks2008 database with the following code:
UPDATE Production.Product SET StandardCost = 7.99

Run the query. When the update is complete, run the SELECT query again. Review the StandardCost column in the Results pane. The StandardCost column has been updated. Close SQL Server Management Studio without saving changes. Turn off the virtual machine and discard changes.
Results: After this exercise, you should have used a cursor to update the ListPrice column and used a set-based query to update the StandardCost column of the Production.Product table.

Writing Queries Using Microsoft SQL Server 2008 Transact-SQL

9-51

Module Review and Takeaways

Review Questions
1. 2. 3. How do cursors handle result sets? What functions are used to perform explicit data type conversions? What methods can be used to execute dynamic SQL queries?

9-52

Using Advanced Techniques

Common Issues related to data type conversion

Identify the causes for the following common issues related to data type conversion and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Cannot implicitly or explicitly convert string or number data to xml data type Implicit conversions to binary data type produces unexpected results Converting integers to character data types implicitly results in an asterisk (*) instead of the correct value. Troubleshooting tip

Best Practices related to using dynamic SQL

Supplement or modify the following best practices for your own work situations: Because dynamic SQL is a significant vector of SQL injection attacks, there are a number of steps you should take. Make no assumptions about the size, type, or content of the data that is received by your application. For example, you should make the following evaluation: How will your application behave if an errant or malicious user enters a 10-megabyte MPEG file where your application expects a postal code? How will your application behave if a DROP TABLE statement is embedded in a text field.

Test the size and data type of input and enforce appropriate limits. This can help prevent deliberate buffer overruns. Never build Transact-SQL statements directly from user input. Use stored procedures to validate user input. Never concatenate user input that is not validated. String concatenation is the primary point of entry for script injection. Do not accept the following strings in fields from which file names can be constructed: AUX, CLOCK$, COM1 through COM8, CON, CONFIG$, LPT1 through LPT8, NUL, and PRN.