Executing character string with variable table name
This post is in response to an answer put on a mailing list. The person is interested to know how to create a stored procedure having Tsql statement with some variable table name, that’s passed to the stored procedure.
Here is the sample TSql code.
create procedure TheProcedure
@Table nvarchar(20)
as
declare @Sql nvarchar(50);
--Be aware of Sql Injection Attacks
select @Sql = 'select * from '+@Table;
exec (@Sql);
exec TheProcedure @Table='Categories';
As already warned in the code, you should take necessary measures to keep your database safe from the Sql injection attacks.