Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > SQL Server > SQL Server 2000 > SQL Server 2000
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
SQL Server 2000 General discussion of Microsoft SQL Server -- for topics that don't fit in one of the more specific SQL Server forums. version 2000 only. There's a new forum for SQL Server 2005.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the SQL Server 2000 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old September 25th, 2003, 04:11 AM
Authorized User
 
Join Date: Sep 2003
Location: , , .
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
Default passing table as a parameter to stored procedure

Hi all,

I want to pass the name of a table as a parameter to a stored procedure...for example something like

CREATE PROCEDURE MoveDataFromTempFiles
    @tempTestChainTable varchar (150),
    @tempProcessID int

 AS
    Select * from @tempTestChainTable where ID = @tempProcessID

However, I get the error @tempTestChainTable. Do table names have to be static?? Any help regarding this will be greatly appreciated.

Thanks,

Pankaj

Reply With Quote
  #2 (permalink)  
Old September 25th, 2003, 04:17 AM
Authorized User
 
Join Date: Jun 2003
Location: Manchester, , United Kingdom.
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi, this is what I use when I want to pass a table
CREATE PROCEDURE dbo.getTable
    @tableName varchar(50)
    ,@fieldName varchar(20) = NULL
    ,@value varchar(20) = @fieldName
AS
  IF @fieldName = NULL
    BEGIN
    EXEC ('SELECT * FROM '+ @tableName)
    END
  ELSE
    BEGIN
    EXEC ('SELECT * FROM ' + @tableName + ' WHERE ' + @fieldName + ' = "' + @value + '" ')
    END
GO

Ian
Reply With Quote
  #3 (permalink)  
Old September 25th, 2003, 05:27 AM
Authorized User
 
Join Date: Sep 2003
Location: , , .
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Ian.

Thanks! I will give it a shot :)

Pankaj

Reply With Quote
  #4 (permalink)  
Old September 25th, 2003, 05:32 AM
Authorized User
 
Join Date: Sep 2003
Location: Trivandrum, Kerala, India.
Posts: 21
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to balakumar1000
Default

Using EXEC to execute a SQL Statement will attract some cost on performance. everytime it has to parse the sql statement before executing...use it when there is a absolute need.

Reply With Quote
  #5 (permalink)  
Old September 25th, 2003, 05:46 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Hudson, MA, USA.
Posts: 839
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
quote:Originally posted by balakumar1000
 Using EXEC to execute a SQL Statement will attract some cost on performance. everytime it has to parse the sql statement before executing...use it when there is a absolute need.
Not to mention which such an approach opens your server to a SQL injection attack. Consider what happens when an attacker executes the stored procedure above and sets the value of @tablename to a string like:
Code:
yourtable; DELETE yourtable; SELECT * FROM yourtable
you're in real trouble...

Jeff Mason
Custom Apps, Inc.
www.custom-apps.com
Reply With Quote
  #6 (permalink)  
Old September 25th, 2003, 08:06 AM
Authorized User
 
Join Date: Jun 2003
Location: Manchester, , United Kingdom.
Posts: 60
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Jeff
Thanks for the interesting comment, I will keep an eye this post for further/alternative developments

Regards
Ian
Reply With Quote
  #7 (permalink)  
Old September 30th, 2003, 04:01 AM
Authorized User
 
Join Date: Sep 2003
Location: , , .
Posts: 83
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Wow, I never thought if it like that. I have to keep all this in mind. I will post an update as soon as I have some satisfactory solution.

Thanks,
Pankaj

Reply With Quote
  #8 (permalink)  
Old September 30th, 2003, 05:11 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

In your journey for a satisfactory solution, you may be interested in the following White Paper on SQL injection:

http://www.nextgenss.com/papers/adva..._injection.pdf

and other info and links from this thread.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pass XML parameter to stored procedure BCullenward Classic ASP Databases 3 September 10th, 2008 02:07 PM
usin g stored procedure with parameter Sheraz Khan ASP.NET 2.0 Basics 1 September 5th, 2007 12:27 AM
Query Parameter of a Stored Procedure tarang SQL Server 2000 4 July 25th, 2007 11:43 AM
How to pass a parameter to a stored procedure? MaxGay2 VB.NET 2002/2003 Basics 1 November 8th, 2006 02:48 PM
Passing a parameter value to Stored Procedure mcinar SQL Server 2000 9 October 3rd, 2004 09:42 PM



All times are GMT -4. The time now is 03:54 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.