Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Gregory Larsen Stairway to T-SQL: Beyond The Basics Level 9: Dynamic T-SQL Code RE: Stairway to T-SQL: Beyond The Basics Level 9: Dynamic T-SQL Code

  • July 24, 2014 at 12:17 pm

    #1732170

    To prevent SQL Injection when the names of objects or columns are entered by the user, I'd recommend as well QUOTENAME() function. Of course, that doesn't remove the good practice of using parametrized queries. Combining both options, you should be safe. If anyone prove me wrong, we can all learn some more.

    DECLARE @Table varchar(128) = 'sys.tables; '' SELECT TOP 100* FROM sys.columns'

    DECLARE @SQL nvarchar(4000)

    SET @SQL = 'SELECT * FROM ' + QUOTENAME(@Table)

    PRINT @SQL

    EXEC sp_executesql @SQL

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2