Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Trying to parameterise code executed by sp_executesql Expand / Collapse
Author
Message
Posted Tuesday, July 8, 2014 7:43 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Saturday, October 18, 2014 6:45 PM
Points: 7, Visits: 55
I'm trying to parameterise code executed by sp_executesql. It's not a stored procedure, I've just got a number of similar SQL scripts, and trying to minimise the edits involved.

Here is some sample code (simplified example):

declare @tablename nvarchar(255);
declare @colname nvarchar(255);
declare @parms nvarchar(255);
declare @sql nvarchar(max);

set @tablename=N'sys.objects';
set @colname=N'name';
set @parms=N'@tablename nvarchar(255)';
set @sql=N'select top 5 * from @tablename';
exec sp_executesql @sql, @parms, @tablename;
------------------------------------------------
declare @tablename nvarchar(255);
declare @colname nvarchar(255);
declare @parms nvarchar(255);
declare @sql nvarchar(max);

set @tablename=N'sys.objects';
set @colname=N'name';
set @parms=N'@colname nvarchar(255)';
set @sql=N'select top 5 @colname from sys.objects';
exec sp_executesql @sql, @parms, @colname;
------------------------------------------------
declare @tablename nvarchar(255);
declare @colname nvarchar(255);
declare @parms nvarchar(255);
declare @sql nvarchar(max);

set @tablename=N'sys.objects';
set @colname=N'name';
set @parms=N'@tablename nvarchar(255), @colname nvarchar(255)';
set @sql=N'select top 5 @colname from @tablename';
exec sp_executesql @sql, @parms, @tablename, @colname;

Highlight each separate section and submit in SSMS.

I'm following the examples in here: http://msdn.microsoft.com/en-au/library/ms188001.aspx.

If I have to generate code like:

set @sql=N'select top 5 ' + @colname + ' from ' + @tablename;

Then I may consider this approach instead, especially when double- and triple-quoting is involved:

set @sql=N'select top 5 <<colname>> from <<tablename>>';
set @sql=replace(@sql,'<<colname>>',@colname);
set @sql=replace(@sql,'<<tablename>>',@tablename);
exec(@sql);

Thank you for pointing me in the right direction.
Post #1590361
Posted Tuesday, July 8, 2014 7:52 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 9:13 AM
Points: 40,609, Visits: 37,070
You can't parameterise table or column names. You'll have to build up the string with those values in (and beware SQL injection vulnerabilities)


Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1590365
Posted Wednesday, July 9, 2014 7:09 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 10:51 AM
Points: 14,201, Visits: 28,530
You parameterize the values passed to the query, not the tables and columns. Those have to be explicitly stated. As Gail said, you can build those statements dynamically, but you better have great syntax checking to ensure you don't hit SQL Injection.

----------------------------------------------------
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood..." Theodore Roosevelt
The Scary DBA
Author of:
SQL Server Query Performance Tuning
and
SQL Server Execution Plans

Product Evangelist for Red Gate Software
Post #1590721
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse