SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


HOW TO PASS UPDATE QUERY WITH EXECUTE COMMAND


HOW TO PASS UPDATE QUERY WITH EXECUTE COMMAND

Author
Message
dastagiri16
dastagiri16
Old Hand
Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)

Group: General Forum Members
Points: 300 Visits: 515
HI,

I have small confusion send the "update" query in execute statement.

My requirement is:
Without using either variable or set quoted_identifier off
how can i sent the query through procedure.
my usage as below. its not working for two queries below.
Exec proce_Name 'update table set column='TEST' where id=1'
or
Exec proce_Name "update table set column='TEST' where id=1"

-------Giri
GilaMonster
GilaMonster
SSC Guru
SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)

Group: General Forum Members
Points: 88651 Visits: 45284
What does the procedure proce_Name do?

btw, I strongly recommend against any architecture or design that has pieces of queries being passed around as parameters, it gets hugely complex, there are almost always security vulnerabilities as a result and it's a pain to work with them,

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


dastagiri16
dastagiri16
Old Hand
Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)

Group: General Forum Members
Points: 300 Visits: 515
The procedre limit the records based on sending query.
Suppose if we need to update 10 records ,we need to pass the update query and limit value so it will be updated 10 records...and here query is not only update and also work for. SELECT AND INSERT etc ...IS
There any default server level configuration to allow double quotes for string values
GilaMonster
GilaMonster
SSC Guru
SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)

Group: General Forum Members
Points: 88651 Visits: 45284
This works
Exec proce_Name 'update table set column=''TEST'' where id=1'


Those aren't double quotes, they're escaped single quotes.

I still strongly recommend against any design that requires the passing of queries or parts of queries around.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


dastagiri16
dastagiri16
Old Hand
Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)Old Hand (300 reputation)

Group: General Forum Members
Points: 300 Visits: 515
Thanks lot
Steven Willis
Steven Willis
SSC Eights!
SSC Eights! (849 reputation)SSC Eights! (849 reputation)SSC Eights! (849 reputation)SSC Eights! (849 reputation)SSC Eights! (849 reputation)SSC Eights! (849 reputation)SSC Eights! (849 reputation)SSC Eights! (849 reputation)

Group: General Forum Members
Points: 849 Visits: 1721
I agree with Gail here. Passing TSQL through as input is just asking for trouble.

Better would be to move the code into a procedure something like this:

OLD METHOD
Exec proce_Name 'update table set column=''TEST'' where id=1'

NEW METHOD
EXEC dbo.SampleFoo 'MyTable','MyColumn',1,'TEST','UPDATE'



CREATE PROCEDURE dbo.SampleFoo

@TableName SYSNAME
,@ColumnName SYSNAME
,@ID INT
,@NewValue VARCHAR(50)
,@ActionType VARCHAR(50)

AS
BEGIN

SET NOCOUNT ON

DECLARE @strSQL NVARCHAR(4000)

IF @ActionType = 'UPDATE'
BEGIN

SET @strSQL =
@ActionType + ' '
+ @TableName
+ ' SET '
+ @ColumnName + ' = ''' + @NewValue + ''
+ 'WHERE ID = ' + @ID

EXEC sp_executeSQL @strSQL

END
ELSE IF @ActionType = 'INSERT'
BEGIN

SET @strSQL =
@ActionType + ' INTO ' + @Tablename +
+ '(' + @ColumnName + ')'
+ VALUES +
+ '(' + @NewValue + ')'

EXEC sp_executeSQL @strSQL

SELECT @ID = SCOPE_IDENTITY() --this gets the new ID after insertion

END



GilaMonster
GilaMonster
SSC Guru
SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)SSC Guru (88K reputation)

Group: General Forum Members
Points: 88651 Visits: 45284
To be honest, I wouldn't recommend that either. It's vulnerable to SQL injection and it completely violates the software engineering principal of single responsibility. In front end development no one would consider writing a function that can update properties of an employee object, vehicle object, movie object or accounting collection depending on parameter values, so why do it in a stored procedure.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search