SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


sp_executesql dynamic columns in select statement


sp_executesql dynamic columns in select statement

Author
Message
nawillia
nawillia
SSC Veteran
SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)

Group: General Forum Members
Points: 223 Visits: 554
can i use sp_excecutesql to run a cmd that has a parameter for the column. so the cmd looks like this

@cmd = N'select @col1 from dbo.testtable'

also can you do something like

@cmd = N'select * from @sometable'

I know the specifics of passing the parameters to sp_executesql, but i can't get the actual columns or tables to be dynamic.

thanks
shump66@yahoo.com
shump66@yahoo.com
SSC Rookie
SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)

Group: General Forum Members
Points: 43 Visits: 245

@cmd = N'select @col1 from dbo.testtable'



I am not sure if this correct and would need to test but if you give it a try I would think something like this may work

@cmd = N'select ' + @col1 + 'from dbo.testtable'


The other way is which may work is

declare @SQLString AS VARCHAR(max)

set @SQLString = 'select ' + @col1 + 'from dbo.testtable'

@cmd = @SQLString

My home server is done when I get into my office I will give this a try

Scott
I am a Senior Data Analyst/DBA
I work with MS SQL, Oracle & several ETL Tools

@thewolf66
sivaj2k
sivaj2k
SSC Journeyman
SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)

Group: General Forum Members
Points: 98 Visits: 549
-- This can be used for your solution. But this is not a complete solution.
-- Chance for having sql injection.

CREATE PROCEDURE [dbo].[Dynamic_Query_Example] (@p_category varchar(20))
as
begin
declare @v_count int
declare @sql_query varchar(max), @p_category_select varchar(max)

select @v_count = count(*) from information_schema.columns where table_name = 'test' and column_name = @p_category
if @v_count >0
begin
SELECT @SQL_QUERY = ' SELECT '+@P_CATEGORY+' FROM test'
end
else
begin
print 'Invalid column name'
end
print @sql_query
exec (@sql_query)
end

Thanks
Siva Kumar J
nawillia
nawillia
SSC Veteran
SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)

Group: General Forum Members
Points: 223 Visits: 554
Thanks for the advice, but i'm not looking to do string concatenation...i need to have the parameters passed usin sp_executesql
shump66@yahoo.com
shump66@yahoo.com
SSC Rookie
SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)

Group: General Forum Members
Points: 43 Visits: 245
Did you try the Ex I posted I have not had time to test

Scott
I am a Senior Data Analyst/DBA
I work with MS SQL, Oracle & several ETL Tools

@thewolf66
nawillia
nawillia
SSC Veteran
SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)

Group: General Forum Members
Points: 223 Visits: 554
HI
I did not try your example per se, because it use string concatenation with the @table or @col outside of quotes.
This will lead to sql injection. What i was looking for was an
example where the string looks like ' select @col from @table' all inside the quotes and then @col and @table are passed as variables to the sp_executesql stored procedure.

I never got it to work, but my app isn't a web app, so sql injection is not a big deal. I just wanted to code it securely anyways.
Ken McKelvey
Ken McKelvey
SSCommitted
SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)

Group: General Forum Members
Points: 1657 Visits: 7879
The sp_executesql procedure works like a dynamic SP so you can only pass values, and not object names, as parameters.

To guard against SQL injection you can validate column names against INFORMATION_SCHEMA.COLUMNS and table names against INFORMATION_SCHEMA.TABLES.
nawillia
nawillia
SSC Veteran
SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)SSC Veteran (223 reputation)

Group: General Forum Members
Points: 223 Visits: 554
Thanks
That is the answer I was looking to confirm my thoughts.

Thanks for the advice too.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search