Patrick Russell (11/10/2008)
I guess I hadn't thought of that. I actually try to stay away from dynamic sql. I always thought there where sql injection issues with it. Only use it if its really necessary. This may qualify.
Providing you use sp_executesql properly with parameters, there's no sql injection issue here. Dynamic SQL is a use only when absolutely necessary technique, but this is one of those places where there really isn't a good alternative that performs well.
Wouldn't the User still need Select permissions on the tables?
Yes. Make sure it's just select and just on those tables.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability