December 22, 2010 at 8:49 pm
i want to select only few fileds in a pramater store proc
know i can do it white dinamic sql
create proc [dbo].[MySelect](@filed varchar(max))
as
begin
declare @sql varchar(max)
select @sql = 'select ' + @filed + ' from Customers'
exec (@sql)
end
i do not want to use dinamic sql because sql injection is there outer way
December 22, 2010 at 9:18 pm
You can use sp_ExecuteSQL command with parameters that will help to avoid SQL injection as well as SQL Server can reuse the plan. Query engine needs to just replace the variable values due to parameterized query.
refer: http://msdn.microsoft.com/en-us/library/ms188001.aspx
Do let me know if you require further help.
Thanks
December 23, 2010 at 12:02 am
i try do this
declare @SQLString nvarchar(max)
DECLARE @fileds nvarchar(500);
SET @fileds = N'@fileds_value nvarchar(500)';
SET @SQLString =
N'SELECT @fileds_value from Customers';
EXECUTE sp_executesql @SQLString,@fileds,@fileds_value='custid,custname'
the result was this
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
custid,custname
December 23, 2010 at 3:40 am
Try this
create proc [dbo].[MySelect](@filed varchar(max))
as
begin
declare @sql nvarchar(max)
select @sql = 'select ' + quotename(@filed,'[') + ' from Customers'
EXECUTE sp_executesql @sql,N'@filed varchar(max)',@filed
end
go
exec [MySelect] N'custid,custname'
--------------------------------------------------------------------------------------------------
I am just an another naive wannabe DBA trying to learn SQL Server
December 23, 2010 at 8:25 am
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply