Post reply

using UPDATE in SQL?

  • October 24, 2005 at 6:32 am

    #188136

    Can anyone help I'm trying to update a table on my SQL server, the line of code I'm using in the stored procedure is the following

     

    CREATE  PROCEDURE spSaveDaysArea  @sName as VarChar(200),@sArea as VarChar(100), @sDate1 as VarChar(20)

    AS

     

    declare @sql as varchar(5000)

    set @sql = 'update [TI Work] set [' + @sArea + ']' +' =  [' + @sName + ']  where [date1] =  ' + @sDate1 + ''

    exec (@sql)

    GO

     

    but I'm getting an invalid colomn error, any ideas?

  • October 24, 2005 at 6:50 am

    #599451

    The Curse and Blessings of Dynamic SQL

    Why are you using dynamic sql for this???

  • October 24, 2005 at 6:51 am

    #599452

    because I'm using a vairable for the field name

  • October 24, 2005 at 6:54 am

    #599453

    Ok, why using dynamic field names??

    Did you read the link?

  • October 24, 2005 at 6:57 am

    #599454

    I did actually read the link before posting my question on the forum, I couldn't see anything that could help me, I'm just starting out using an SQL server and I'm in the process of converting some of my program in VB to use this

  • October 24, 2005 at 7:09 am

    #599460

    k, Go back one step. What problem are you trying to solve using this sp?

  • October 24, 2005 at 7:24 am

    #599468

    I'm trying to update a database using VB and passing the name of the field and the data I want to put in that particular field, if that makes sence, incidently the field @sDate1  is a date/time field

  • October 24, 2005 at 7:34 am

    #599476

    Not the way you're doing it. You should use static sql for this.

    UPDATE dboTable set Col1 = @Param1, Col2 = @Param2 where DateKey = @DateVariable

  • October 24, 2005 at 7:41 am

    #599479

    I've actually got it working. At Last !!!

    here's what I used :-

     

    CREATE  PROCEDURE spSaveDaysArea  @sName as VarChar(200),@sArea as VarChar(100), @sDate1 as VarChar(100)

    AS

    declare @sql as varchar(5000)

    set @sql = 'update [TI Work] set ['+ @sArea +']' + ' =  '''+ @sName +'''  where [date1] =  ''' + @sDate1 + ''' '

    exec (@sql)

    GO

     

    Many thanks for the assistance

  • October 24, 2005 at 7:51 am

    #599481

    Let me rephrase what I meant this whole time in clearer terms.

    1 - You totally missed out the real point of store procs.

    2 - You're going against every best practices in the book.

    3 - Your server is now prone to sql injection attacks meaning that someone can take control of the compagny you are working for and YOU'RE RESPONSIBLE OF THAT.

    Now go read the freaking link I gave you and ask question if you don't understand how to do that update.

  • October 24, 2005 at 8:05 am

    #599519

    what do you mean by prone to sql injection attacks ?

  • October 24, 2005 at 8:09 am

    #599520

    READ THE LINK.

    The Curse and Blessings of Dynamic SQL

    and don't ever lie to me again... I'll still know it.

  • October 24, 2005 at 8:39 am

    #599531

    You have excellent diplomacy skills Remi! 

     

    (oh, crum...., do you think he will know I lie to him as well?) 

     

    I wasn't born stupid - I had to study.

  • October 24, 2005 at 8:41 am

    #599533

    hear, hear

  • October 24, 2005 at 8:41 am

    #599532

    Not a diplomate.

    Not gonna stand having someone blatantly lie to me and expect me to be nice about it.

Viewing 15 posts - 1 through 15 (of 32 total)

You must be logged in to reply to this topic. Login to reply