Quote:
Originally Posted by BenP
This seems like a bad idea to me because of security, performance, and debugging issues, but my boss is pretty insistent.
Is it actually a bad idea?
|
Yes. You can't do parametrization that way, which means, among other things:
- you're opening the flood gates for SQL injection potential
- the RDBMS can't optimize your queries should they repeat again, because the objects (e.g. columns) are entirely arbitrary, so no indexing and statistics are possible
Needless to say, you're throwing most benefits of a relational database out the window. Might consider a dictionary-based alternative, in that case.
There are reasons to do this, but a catch-all "update x set y=z" procedure sounds absolutely horrid.