Wrox Programmer Forums
Go Back   Wrox Programmer Forums > SQL Server > SQL Server 2000 > SQL Server 2000
| Search | Today's Posts | Mark Forums Read
SQL Server 2000 General discussion of Microsoft SQL Server -- for topics that don't fit in one of the more specific SQL Server forums. version 2000 only. There's a new forum for SQL Server 2005.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the SQL Server 2000 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old September 25th, 2003, 04:11 AM
Authorized User
 
Join Date: Sep 2003
Location: , , .
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
Default passing table as a parameter to stored procedure

Hi all,

I want to pass the name of a table as a parameter to a stored procedure...for example something like

CREATE PROCEDURE MoveDataFromTempFiles
    @tempTestChainTable varchar (150),
    @tempProcessID int

 AS
    Select * from @tempTestChainTable where ID = @tempProcessID

However, I get the error @tempTestChainTable. Do table names have to be static?? Any help regarding this will be greatly appreciated.

Thanks,

Pankaj

 
Old September 25th, 2003, 04:17 AM
Authorized User
 
Join Date: Jun 2003
Location: Manchester, , United Kingdom.
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi, this is what I use when I want to pass a table
CREATE PROCEDURE dbo.getTable
    @tableName varchar(50)
    ,@fieldName varchar(20) = NULL
    ,@value varchar(20) = @fieldName
AS
  IF @fieldName = NULL
    BEGIN
    EXEC ('SELECT * FROM '+ @tableName)
    END
  ELSE
    BEGIN
    EXEC ('SELECT * FROM ' + @tableName + ' WHERE ' + @fieldName + ' = "' + @value + '" ')
    END
GO

Ian
 
Old September 25th, 2003, 05:27 AM
Authorized User
 
Join Date: Sep 2003
Location: , , .
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Ian.

Thanks! I will give it a shot :)

Pankaj

 
Old September 25th, 2003, 05:32 AM
Authorized User
 
Join Date: Sep 2003
Location: Trivandrum, Kerala, India.
Posts: 21
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to balakumar1000
Default

Using EXEC to execute a SQL Statement will attract some cost on performance. everytime it has to parse the sql statement before executing...use it when there is a absolute need.

 
Old September 25th, 2003, 05:46 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Hudson, MA, USA.
Posts: 839
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
quote:Originally posted by balakumar1000
 Using EXEC to execute a SQL Statement will attract some cost on performance. everytime it has to parse the sql statement before executing...use it when there is a absolute need.
Not to mention which such an approach opens your server to a SQL injection attack. Consider what happens when an attacker executes the stored procedure above and sets the value of @tablename to a string like:
Code:
yourtable; DELETE yourtable; SELECT * FROM yourtable
you're in real trouble...

Jeff Mason
Custom Apps, Inc.
www.custom-apps.com
 
Old September 25th, 2003, 08:06 AM
Authorized User
 
Join Date: Jun 2003
Location: Manchester, , United Kingdom.
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Jeff
Thanks for the interesting comment, I will keep an eye this post for further/alternative developments

Regards
Ian
 
Old September 30th, 2003, 04:01 AM
Authorized User
 
Join Date: Sep 2003
Location: , , .
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Wow, I never thought if it like that. I have to keep all this in mind. I will post an update as soon as I have some satisfactory solution.

Thanks,
Pankaj

 
Old September 30th, 2003, 05:11 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

In your journey for a satisfactory solution, you may be interested in the following White Paper on SQL injection:

http://www.nextgenss.com/papers/adva..._injection.pdf

and other info and links from this thread.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.




Similar Threads
Thread Thread Starter Forum Replies Last Post
Pass XML parameter to stored procedure BCullenward Classic ASP Databases 3 September 10th, 2008 02:07 PM
usin g stored procedure with parameter Sheraz Khan ASP.NET 2.0 Basics 1 September 5th, 2007 12:27 AM
Query Parameter of a Stored Procedure tarang SQL Server 2000 4 July 25th, 2007 11:43 AM
How to pass a parameter to a stored procedure? MaxGay2 VB.NET 2002/2003 Basics 1 November 8th, 2006 02:48 PM
Passing a parameter value to Stored Procedure mcinar SQL Server 2000 9 October 3rd, 2004 09:42 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.