4e512c1a   
   From: esquel@sommarskog.se   
      
   Ender Karada? (enkaradag@gmail.com) writes:   
   > up to now, each user has rules to see workers on one department such   
   > as SELECT * from worker where DEPARTMENTNO=2   
   > im doing this with query code in application, with lots of '..where   
   > DEPARTMENTNO='+inttostr(mydeptno)   
      
   Which is not the way you should write it. If you are using .Net, you should   
   write it as   
      
      SELECT * FROM worker WHERE DEPARRTMENTNO = @depto   
      
   And then pass the value of @depto in the SqlParameters collection.   
      
   With several other client API, you use ? as the parameter marker, but   
   the principle is the same. You should never build complete query strings   
   from input values. This introduces a risk for SQL injection, and it   
   utilises the cache in SQL Server poorly. It also gives you headache   
   with datetime values.   
      
      
   > now im thinking of a technic for doing this in sqlserver side;   
   >   
   > is there a way like:   
   >   
   > DECLARE @DEPTNO int       ---variable will be static for my session   
   > SET @DEPTNO=1                 ---i will do this first for my   
   > connection session..   
   >   
   > -----   
   > and i will have a view like;   
   > SELECT ID,NAME from worker where DEPARTMENTNO=@DEPTNO   
      
   You could use a temp table that you create on session level. The temp   
   table would exist until you disconnect.   
      
   But this assumes that you keep a global connection that stays active   
   all the time. That is not a very common application design these days.   
      
      
   --   
   Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se   
      
   Links for SQL Server Books Online:   
   SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx   
   SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)