Product articles SQL Prompt SQL Code Analysis
SQL Prompt Code Analysis: Avoid using…

24 August 2018

1 Comment

Guest post

This is a guest post from Phil Factor. Phil Factor (real name withheld to protect the guilty), aka Database Mole, has 30 years of experience with database-intensive applications.

Despite having once been shouted at by a furious Bill Gates at an exhibition in the early 1980s, he has remained resolutely anonymous throughout his career.

He is a regular contributor to Simple Talk and SQLServerCentral.

24 August 2018

1 Comment

SQL Prompt Code Analysis: Avoid using the ISNUMERIC Function (E1029)

Avoid using the IsNumeric() function, because it can often lead to data type conversion errors, when importing data. On SQL Server 2012 or later, use the Try_Convert() or Try_Cast() function instead. On earlier SQL Server versions, the only way to avoid it is by using LIKE expressions.

Guest post

This is a guest post from Phil Factor. Phil Factor (real name withheld to protect the guilty), aka Database Mole, has 30 years of experience with database-intensive applications.

Despite having once been shouted at by a furious Bill Gates at an exhibition in the early 1980s, he has remained resolutely anonymous throughout his career.

He is a regular contributor to Simple Talk and SQLServerCentral.

Avoid using the IsNumeric() function, because it can often lead to data type conversion errors, when importing data. SQL Prompt Code Analysis rules include an Execution rule, E1029, which will alert you to use of this function, in your T-SQL. If you’re working on SQL Server 2012 or later, it’s much better to use the Try_Convert()or Try_Cast() function instead. On earlier SQL Server versions, the only way to avoid it is by using LIKE expressions.

The stated purpose of IsNumeric() is to “determine whether an expression is a valid numeric type“. It accepts int, numeric, float and money numbers, and will tell you whether the string or number you provided can be cast or converted into a number. The trouble is that it won’t tell you what sort of number; it will tell you that something like ',' or '$-.' or '-' or '0E0' can be converted to a number but leaves you to guess what sort.

Data type conversions when using IsNumeric()

Let’s take an obvious use for IsNumeric(). You are importing values from a log file that has a column that is supposed to be a floating point number. You want to be sure that each input row can be inserted into your import table, which has a float column. If not, you want the row to be held in a separate input table, for investigation. The CSV file is parsed, and your input includes the string ‘+’. You check with IsNumeric(), it passes the check and so you insert the row. Bang!

You’ve got an exception. The ‘+’ string can be cast into money (0.00), an int (0) but not a float.

Let’s flesh this out a bit so we can try things out. We’ll start by successfully filtering out a bad row, so that we can deal with it afterwards, by manual intervention.

Listing 1

Execute this, and you’ll find that the routine has successfully filtered out the bad value:

Now all we do is to change the word ‘bad’ in the VALUES list into ‘+’ and what happens?

You’ve been caught out. The ‘+’ symbol can be cast to money or an int, but not a float.

Replace IsNumeric with Try_Convert

The answer is to replace IsNumeric('+') with the more recent Try_Convert(). In Listing 1, leave our previously-problematic ‘+‘ symbol in place, and change the two final expressions that check to see if the values are numeric, as follows:

Listing 2

It all works fine, and we are back with a more robust input routine:

Flushed with success, you can then change the routine to check the dates and the tap number too.

Replacing IsNumeric with LIKE expressions

You haven’t got SQL Server 2012 or later? That’s a shame. You’ll need to build some bulkier LIKE expressions instead, in order to replace IsNumeric() with code that tells you more precisely whether the string can be cast as a float. To avoid adding all that complexity to our code, we’ll opt to hide it in our import table as a calculated column. For anyone stuck on SQL Server 2005, I’ll put the calculated column in a temporary table, rather than a table variable.

Listing 3

You don’t need to figure out these LIKE expressions because they are all in my blog ‘Is It Time To Stop Using IsNumeric()‘. There are also more explanation of the quirkiness of IsNumeric here: ‘IsNumeric() Broken? Only up to a point.

Conclusion

The IsNumeric() function was never much use, because you only rarely want to ask ‘can this string be cast to any numeric type?‘ You almost always want to know whether it can be cast specifically to money, int, numeric, float and so on. It is much better to use Try_Convert() or Try_Cast (the only difference is the way parameters are passed). Try_Parse() is more useful for parsing dates in other language formats.

If you understand the quirks of IsNumeric()and can accept them, then by all means use it. The worst of its quirks is that it doesn’t know about Unicode currency symbols, such as the UK Pound sign ‘₤’ and the Euro, ‘€’, so it says that they can’t be cast as money. Obviously, if you only want to know whether a string or numeric value can be cast as one or more of various the numeric types, and you aren’t worried about the fact that it doesn’t recognize most of the world’s currencies as money, then use IsNumeric(). However, for the majority of cases, Try_Convert() is far handier and reliable.

If you are stuck with an old version of SQL Server, then your best choice is to use the LIKE expressions that I’ve shown you in my blog ‘Is It Time To Stop Using IsNumeric()‘.

Share this post.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter
  • Andy Robertson

    Excellent article. Thanks Phil.

You may also like

  • Article

    Quick SQL Prompt tip – using the CDB snippet

    SQL Prompt includes a number of snippets by default that can help you quickly write T-SQL code. These are templates of code that users use regularly. One of the more popular snippets is the ‘cdb’ snippet that helps with quickly creating a new database for development work. This can also be used to ensure production

  • Article

    The risks of using EXECUTE ('SQL Script')

    SQL Prompt’s code analysis rule, BP013, will alert you to use of Execute(string) to execute a batch in a string, often assembled dynamically from user input. This technique is dangerous because the parameter values are injected before the statement is parsed by SQL Server, allowing an attacker to "tag on" extra statements. Use sp_ExecuteSql instead, and validate the string inputs.

  • Article

    SQL Prompt Safety Net Features for Developers

    Ever accidentally executed code while connected to the right database but the wrong server? Phil Factor describes a few common mishaps that everyone working in SSMS will have experienced, and how SQL Prompt "Tab Magic" provides insurance against their consequences.

  • Article

    Quick SQL Prompt tip - restore your tabs, even if you closed them by mistake

    It’s sometimes too easy to close SQL Server Management Studio (SSMS) without saving your work. It’s also easy to get rid of tabs and scripts that you later wish you had back. SQL Prompt can help with both these problems. Take a look at the Options for SQL Prompt and you’ll find a set of

  • Forums

    SQL Prompt Forum

    Write, format, and refactor SQL effortlessly