Home Forums SQL Server 2008 T-SQL (SS2K8) Update 1 of 3 tables based on parameter RE: Update 1 of 3 tables based on parameter

  • June 28, 2016 at 9:28 am

    #1887357

    As a quickie "solution", for now, something like this:

    SET ANSI_NULLS ON;

    SET QUOTED_IDENTIFIER ON;

    GO

    ALTER PROCEDURE <proc_name>

    @ID int,

    @State varchar(30),

    @ColumnName varchar(100),

    @NewValue datetime

    AS

    SET NOCOUNT ON;

    IF @State LIKE '%[;]%' OR @ColumnName LIKE '%[;]%' OR @NewValue LIKE '%[;]%'

    RETURN -100 /*sql injection attempt!*/

    DECLARE @sql varchar(8000)

    SET @sql = 'UPDATE [' + @State + '_Fees] SET [' + PARSENAME(@ColumnName, 1) + '] = ''' + @NewValue + ''''

    EXEC(@sql)

    GO

    SQL DBA,SQL Server MVP(07, 08, 09) A socialist is someone who will give you the shirt off *someone else's* back.