Welcome to weblogs.com.pk Sign in | Join | Help

Executing character string with variable table name

This post is in response to an answer put on a mailing list. The person is interested to know how to create a stored procedure having Tsql statement with some variable table name, that’s passed to the stored procedure.


Here is the sample TSql code.



use northwind


create procedure TheProcedure

      @Table nvarchar(20)


      declare @Sql nvarchar(50);

      --Be aware of Sql Injection Attacks

      select @Sql = 'select * from '+@Table;

      exec (@Sql);


exec TheProcedure @Table='Categories';


As already warned in the code, you should take necessary measures to keep your database safe from the Sql injection attacks.

Published Wednesday, August 18, 2004 6:47 PM by khurram
Filed under:


No Comments

New Comments to this post are disabled