ADO/ADO.NET - how to make a customize procedure
Asked By pankaj singh on 29-Mar-13 09:17 AM
I have made a procedure which take one argument "table_name" and i want to execute it like "select * from table_name"
CREATE procedure selectrecord(@str1 varchar(50)) as
declare @str2 varchar(100)
set @str2 ='Select * from ' +@str1
My problem is that when i execute this procedure
>>>> selectrecord "table_name"
select * from table_name
but not show record which i want.
Robbe Morris replied to pankaj singh on 29-Mar-13 09:39 AM
You have to use dynamic sql which would make using this in a stored procedure pointless because it can't compile a proper execution plan. Plus, you've opened up a huge security hole with sql injection attacks. You should avoid dynamic sql wherever possible.
declare @sql as varchar(3000)
set @sql = 'some really vulnerable sql statement'