David92595 (6/28/2016)
Hello,I am trying to dynamically update a table (as much as possible) based on a parameter. However, because I'm trying to avoid SQL injection I'm hard coding the table names, but still need to be able to select which one based on another parameter (@State).
@ID int,
@State varChar,
@ColumnName varchar,
@NewValue datetime
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
-- Insert statements for procedure here
SELECT CASE @State
Case 'AZ' THEN
UPDATE AZ_Fees
SET @ColumnName = @NewValue
WHERE ID = @ID
Case 'CA' THEN
UPDATE CA_Fees
SET @ColumnName = @NewValue
WHERE ID = @ID
Case 'HI' THEN
UPDATE HI_Fees
SET @ColumnName = @NewValue
WHERE ID = @ID
What is the best way to go about this?
David92595
My question would be... why are these fees stored in a separate table for each state?
--Jeff Moden
Change is inevitable... Change for the better is not.