ADO/ADO.NET - how to make a customize procedure

Asked By pankaj singh on 29-Mar-13 09:17 AM
hi Expert
I have  made a procedure  which take one argument "table_name" and i want to execute it like "select * from table_name"

 CREATE procedure selectrecord(@str1 varchar(50)) as     
    declare @str2 varchar(100)     
    set @str2 ='Select * from  ' +@str1    
   select @str2 

My problem is that when i execute this procedure

 >>>> selectrecord "table_name"
It returns

select * from table_name

but not show record which i want.

Robbe Morris replied to pankaj singh on 29-Mar-13 09:39 AM
You have to use dynamic sql which would make using this in a stored procedure pointless because it can't compile a proper execution plan.  Plus, you've opened up a huge security hole with sql injection attacks.  You should avoid dynamic sql wherever possible.

declare @sql as varchar(3000)

 set @sql = 'some really vulnerable sql statement'

 exec @sql