Stephen A. Fuqua (saf)

a Bahá'í, software engineer, and nature lover in Austin, Texas, USA

Replacing Ad Hoc Query Text When Fields Change

Situation: We have a stored procedure running a query whose WHERE clause is given as a parameter. No, that’s not the problem in and of itself, at least not today. (Treat this as a non-negotiable requirement for now). Within that WHERE clause there might be a query against a field, call it myField. This field is a varchar and wildcards are not used. Platform: SQL Server 2005.

Problem: myField has been changed to a varbinary field and holds an encrypted value — thus can no longer query directly against it. How do we make this work?

Solution: First a tangent — querying against a hash value. Right now we’d have to decrypt every single value of myField, compare it to the WHERE clause, and see if we had a match. Yuk. Big drawback of encryption. Thankfully, there’s another way — save a unique and irreversible hash of the encrypted value and then compare against this.

Thus I have an additional column called myFieldHashed. When I save data to myField, I also take the raw data, run it through a hashing algorithm with the T-SQL HashBytes command, and save that value. Now my query against myField will no longer be DECRYPT_COMMAND(myField) = '<some value>', but rather myFieldHash = HashBytes('algo', '<some value>'). (DECRYPT_COMMAND is not a real SQL command, just a lazy substitute).

Unfortunately neither methods work right now — hashing or decrypting — because the WHERE clause will not contain either the decrypt command or the HashBytes command.

What we need to do is extract anything that looks like myField = '<some value>' and replace it with the proper command. A caveat: if there are nested AND or OR statements, this phrase could be repeated. Repetition indicates that we might want to use a UDF that can be called recursively.

So let’s get to it. First let’s create a temp table upon which to operate:

CREATE TABLE #Temp (myField varchar(6), myFieldHash varchar(256), anotherField varchar(1))
INSERT INTO #Temp (myField, myFieldHash, anotherField) SELECT 'value1', HashBytes('MD2','value1'), '1'

INSERT INTO #Temp (myField, myFieldHash, anotherField) SELECT 'value2', HashBytes('MD2','value2'), '2'
INSERT INTO #Temp (myField, myFieldHash, anotherField) SELECT 'value3', HashBytes('MD2','value4'), '3'
SELECT * FROM #temp

And here’s a WHERE clause that might be passed into our stored procedure:

DECLARE @WHERE as VARCHAR(1000), @stmt as VARCHAR(1000)
SET @WHERE = 'WHERE (myField = ''value1'' AND anotherField = ''1'') OR (myField = ''value3'')'

Need to extract the myField = 'xxx' portion and later insert a new clause in the exact same position. Thus must preserve string before and after this clause, and need to know the position of the word “myField” and of the two apostrophes surrounding the criteria in order to isolate that criteria. Declare some variables.

DECLARE @before as varchar(1000), @after as varchar(1000), @criteria as varchar(1000), @pos_myField as INT, @pos_APOS_1 as INT, @pos_APOS_2 as INT

Find myField = , assuming there are spaces around =. And since we’ll be replacing myField with myFieldHash, make sure to capture the space and equal after myField so as to not accidentally match myFieldHash.

SET @pos_myField = CHARINDEX('myField = ', @WHERE)

First apostrophe after myField:

SET @pos_APOS_1 = CHARINDEX('''', @WHERE, @pos_myField + 1)

Now the second apostrophe:

SET @pos_APOS_2 = CHARINDEX('''', @WHERE, @pos_APOS_1  + 1)

Now extract the three parts:


SET @before = SUBSTRING(@WHERE, 1, @pos_myField - 1)
SET @criteria = SUBSTRING(@WHERE, @pos_APOS_1 + 1, @pos_APOS_2 - @pos_APOS_1 - 1)
SET @after = SUBSTRING(@WHERE, @pos_APOS_2 + 1, LEN(@WHERE)-@pos_APOS_2)

Rebuild with HASH field name

SET @return = @before + ' myFieldHash = HashBytes(''MD2'', ''' + @criteria + ''') ' + @after

Try that out now, if you like! You’ll find that it works as expected — on the first myField criteria anyway. There might be a better solution out there, but this is the one I’ve come up with and it does the trick =).

Now we need to get the second. While I initially suggested that this might be a recursive function, perhaps it would be better to simply put a loop into the function.

WHILE (@pos_myField <> 0)

End result:


CREATE FUNCTION dbo.fnFixMyFieldAdHoc(@WHERE varchar(1000))
RETURNS varchar(1000)
AS

BEGIN

     DECLARE @return as varchar(1000)
     SET @return = @WHERE


     DECLARE @before as varchar(1000), @after as varchar(1000), @criteria as varchar(1000), @pos_myField as INT, @pos_APOS_1 as INT, @pos_APOS_2 as INT

     SET @pos_myField = CHARINDEX('myField = ', @return)

     WHILE (@pos_myField <> 0)
     BEGIN

          SET @pos_APOS_1 = CHARINDEX('''', @return, @pos_myField + 1)

          SET @pos_APOS_2 = CHARINDEX('''', @return, @pos_APOS_1  + 1)

          SET @before = SUBSTRING(@return, 1, @pos_myField - 1)
          SET @criteria = SUBSTRING(@return, @pos_APOS_1 + 1, @pos_APOS_2 - @pos_APOS_1 - 1)
          SET @after = SUBSTRING(@return, @pos_APOS_2 + 1, LEN(@return)-@pos_APOS_2)

          SET @return = @before + ' myFieldHash = HashBytes(''MD2'', ''' + @criteria + ''') ' + @after

          SET @pos_myField = CHARINDEX('myField = ', @return)

     END

     RETURN @return


END
GO

GRANT EXECUTE ON fnFixMyFieldAdHoc TO PUBLIC
GO

Now we can test out the function:

SET @WHERE = dbo.fnFixMyFieldAdHoc(@WHERE)

PRINT @WHERE
SET @stmt = 'SELECT * FROM #Temp ' + @WHERE
PRINT @stmt
exec (@stmt)

And let’s also make sure the function does not error out if there are no instances of “myField”:

SET @WHERE = 'WHERE anotherField = ''1'''
SET @WHERE = dbo.fnFixMyFieldAdHoc(@WHERE)
PRINT @WHERE
SET @stmt = 'SELECT * FROM #Temp ' + @WHERE
PRINT @stmt
exec (@stmt)

Now we have our solution. It could be done in a more robust fashion using regular expressions (i.e. would be able to handle myField = as well as myField=), but that would require CLR integration and I’m just not ready to go to that extreme.

Note: MD2 has not been considered secure since 2004. You should choose a better algorithm than this.

Posted with : Tech, Microsoft SQL Server and other databases, SQL Server