Welcome to weblogs.com.pk Sign in | Join | Help

Executing character string with variable table name

This post is in response to an answer put on a mailing list. The person is interested to know how to create a stored procedure having Tsql statement with some variable table name, that’s passed to the stored procedure.

 

Here is the sample TSql code.

 

 

use northwind

 

create procedure TheProcedure

      @Table nvarchar(20)

as

      declare @Sql nvarchar(50);

      --Be aware of Sql Injection Attacks

      select @Sql = 'select * from '+@Table;

      exec (@Sql);

 

exec TheProcedure @Table='Categories';

 

As already warned in the code, you should take necessary measures to keep your database safe from the Sql injection attacks.

Published Wednesday, August 18, 2004 6:47 PM by khurram
Filed under:

Comments

No Comments

New Comments to this post are disabled