Query not executing dynamic way

  • 1. Dynamic query

    declare @dbname varchar(50),@objname varchar(20),@sql varchar(100)

    set @dbname='XYZ'

    Set @objname='TMP'

    Set @sql=N'(Select * from '+@dbname+'.sys.objects where name = '+@objname+')'

    EXEC @sql

    2. Actual query

    select * from XYZ.sys.objects where name='Tmp'

    When I am executing query 2nd query I am getting results. But when I am trying with first way I ma getting error as :

    Msg 911, Level 16, State 4, Line 5

    Database '(Select * from XYZ' does not exist. Make sure that the name is entered correctly.

    Can anyone will be able to help

    Sagar Sonawane
    ** Every DBA has his day!!:cool:

  • declare @dbname varchar(50),@objname varchar(20),@sql varchar(1000)

    set @dbname='XYZ'

    Set @objname='TMP'

    Set @sql=N'Select * from '+@dbname+'.sys.objects where name = '''+@objname+''''

    Execute (@sql)

    ----------------------------------------------------------------------------------------------------------------------------------------------------
    Roshan Joe

    Jeff Moden -Forum Etiquette: How to post data/code on a forum to get the best help[/url]

  • I MUCH prefer to do my dynamic SQL this way. Now I don't have to worry about if it is 1, 2, 3, N stupid single quotes to make the string correct!! 🙂

    SET QUOTED_IDENTIFIER OFF

    GO

    declare @dbname varchar(50),@objname varchar(20),@sql varchar(1000)

    set @dbname='XYZ'

    Set @objname='TMP'

    Set @sql="Select * from "+@dbname+".sys.objects where name = '"+@objname+"'"

    Execute (@sql)

    Best,
    Kevin G. Boles
    SQL Server Consultant
    SQL MVP 2007-2012
    TheSQLGuru on googles mail service

  • declare @dbname varchar(50),@objname varchar(20),@sql varchar(100)

    set @dbname='master'

    Set @objname='Ta'

    Set @sql="Select * from "+@dbname+".sys.objects where name = '"+@objname+"'"

    EXEC (@sql)

  • I prefer to use QUOTENAME which will escape quotes and brackets correctly, as well as handle weird names.

    DECLARE

    @dbname sysname,

    @objname sysname,

    @sql nvarchar(1000);

    SET @dbname = 'XYZ';

    SET @objname = 'TMP';

    SET @sql = 'Select * from ' + QUOTENAME(@dbname) + '.sys.objects where name = ' + QUOTENAME( @objname, '''');

    EXECUTE (@sql);

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2
  • Luis Cazares (6/2/2016)


    I prefer to use QUOTENAME which will escape quotes and brackets correctly, as well as handle weird names.

    DECLARE

    @dbname sysname,

    @objname sysname,

    @sql nvarchar(1000);

    SET @dbname = 'XYZ';

    SET @objname = 'TMP';

    SET @sql = 'Select * from ' + QUOTENAME(@dbname) + '.sys.objects where name = ' + QUOTENAME( @objname, '''');

    EXECUTE (@sql);

    That doesn't help in the case of filter values though. :ermm:

    Best,
    Kevin G. Boles
    SQL Server Consultant
    SQL MVP 2007-2012
    TheSQLGuru on googles mail service

  • TheSQLGuru (6/2/2016)


    Luis Cazares (6/2/2016)


    I prefer to use QUOTENAME which will escape quotes and brackets correctly, as well as handle weird names.

    DECLARE

    @dbname sysname,

    @objname sysname,

    @sql nvarchar(1000);

    SET @dbname = 'XYZ';

    SET @objname = 'TMP';

    SET @sql = 'Select * from ' + QUOTENAME(@dbname) + '.sys.objects where name = ' + QUOTENAME( @objname, '''');

    EXECUTE (@sql);

    That doesn't help in the case of filter values though. :ermm:

    No, that's why we use parametrized queries for filter values using sp_executesql.

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2
  • Luis Cazares (6/2/2016)


    TheSQLGuru (6/2/2016)


    Luis Cazares (6/2/2016)


    I prefer to use QUOTENAME which will escape quotes and brackets correctly, as well as handle weird names.

    DECLARE

    @dbname sysname,

    @objname sysname,

    @sql nvarchar(1000);

    SET @dbname = 'XYZ';

    SET @objname = 'TMP';

    SET @sql = 'Select * from ' + QUOTENAME(@dbname) + '.sys.objects where name = ' + QUOTENAME( @objname, '''');

    EXECUTE (@sql);

    That doesn't help in the case of filter values though. :ermm:

    No, that's why we use parametrized queries for filter values using sp_executesql.

    Sadly my experience has been that clients have a tough time or don't know proper use of sp_executesql and default to the easier direct execution. :crying:

    Best,
    Kevin G. Boles
    SQL Server Consultant
    SQL MVP 2007-2012
    TheSQLGuru on googles mail service

  • TheSQLGuru (6/2/2016)


    Luis Cazares (6/2/2016)


    No, that's why we use parametrized queries for filter values using sp_executesql.

    Sadly my experience has been that clients have a tough time or don't know proper use of sp_executesql and default to the easier direct execution. :crying:

    I'm sure they'll find it easier to use once you show them some examples on how SQL Injection can hurt their databases.

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply