parameter in four-partname tables

Question

Viewing 2 posts - 16 through 16 (of 16 total)

You must be logged in to reply to this topic. Login to reply

inversekinematics SSC Enthusiast Points: 124 More actions · Answer 1

the reason? a large system which was badly developed at the beginning years ago and no corporate money or time to rebuild it the right way...

Ninja's_RGR'us SSC Guru Points: 294069 More actions · Answer 2

I see. Might I suggest a simple security add on.

Add this verification before using the variable as the tablename :

IF EXISTS (Select * from DBNAME.dbo.SysObjects where name = @TableName and uid = 1 and XType = 'U')

begin

exec query

else

throw error - possible injection attack.