 |
| SQL Server 2000 General discussion of Microsoft SQL Server -- for topics that don't fit in one of the more specific SQL Server forums. version 2000 only. There's a new forum for SQL Server 2005. |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the SQL Server 2000 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|
September 25th, 2003, 04:11 AM
|
|
Authorized User
|
|
Join Date: Sep 2003
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
passing table as a parameter to stored procedure
Hi all,
I want to pass the name of a table as a parameter to a stored procedure...for example something like
CREATE PROCEDURE MoveDataFromTempFiles
@tempTestChainTable varchar (150),
@tempProcessID int
AS
Select * from @tempTestChainTable where ID = @tempProcessID
However, I get the error @tempTestChainTable. Do table names have to be static?? Any help regarding this will be greatly appreciated.
Thanks,
Pankaj
|
|
September 25th, 2003, 04:17 AM
|
|
Authorized User
|
|
Join Date: Jun 2003
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Hi, this is what I use when I want to pass a table
CREATE PROCEDURE dbo.getTable
@tableName varchar(50)
,@fieldName varchar(20) = NULL
,@value varchar(20) = @fieldName
AS
IF @fieldName = NULL
BEGIN
EXEC ('SELECT * FROM '+ @tableName)
END
ELSE
BEGIN
EXEC ('SELECT * FROM ' + @tableName + ' WHERE ' + @fieldName + ' = "' + @value + '" ')
END
GO
Ian
|
|
September 25th, 2003, 05:27 AM
|
|
Authorized User
|
|
Join Date: Sep 2003
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Hi Ian.
Thanks! I will give it a shot :)
Pankaj
|
|
September 25th, 2003, 05:32 AM
|
|
Authorized User
|
|
Join Date: Sep 2003
Posts: 21
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Using EXEC to execute a SQL Statement will attract some cost on performance. everytime it has to parse the sql statement before executing...use it when there is a absolute need.
|
|
September 25th, 2003, 05:46 AM
|
|
Friend of Wrox
|
|
Join Date: Jun 2003
Posts: 839
Thanks: 0
Thanked 1 Time in 1 Post
|
|
Quote:
quote:Originally posted by balakumar1000
Using EXEC to execute a SQL Statement will attract some cost on performance. everytime it has to parse the sql statement before executing...use it when there is a absolute need.
|
Not to mention which such an approach opens your server to a SQL injection attack. Consider what happens when an attacker executes the stored procedure above and sets the value of @tablename to a string like:
Code:
yourtable; DELETE yourtable; SELECT * FROM yourtable
you're in real trouble...
Jeff Mason
Custom Apps, Inc.
www.custom-apps.com
|
|
September 25th, 2003, 08:06 AM
|
|
Authorized User
|
|
Join Date: Jun 2003
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Jeff
Thanks for the interesting comment, I will keep an eye this post for further/alternative developments
Regards
Ian
|
|
September 30th, 2003, 04:01 AM
|
|
Authorized User
|
|
Join Date: Sep 2003
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Wow, I never thought if it like that. I have to keep all this in mind. I will post an update as soon as I have some satisfactory solution.
Thanks,
Pankaj
|
|
September 30th, 2003, 05:11 AM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
In your journey for a satisfactory solution, you may be interested in the following White Paper on SQL injection:
http://www.nextgenss.com/papers/adva..._injection.pdf
and other info and links from this thread.
Cheers,
Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
|
|
|
