How to set table name in dynamic SQL query?

by

To help guard against SQL injection, I normally try to use functions wherever possible. In this case, you could do:

...
SET @TableName="<[db].><[schema].>tblEmployees"
SET @TableID   = OBJECT_ID(TableName) --won't resolve if malformed/injected.
...
SET @SQLQuery = 'SELECT * FROM ' + OBJECT_NAME(@TableID) + ' WHERE EmployeeID = @EmpID'

More Related Contents:

  1. Efficiently convert rows to columns in sql server
  2. T-SQL split string
  3. How can I get column names from a table in SQL Server?
  4. Conditional WHERE clause in SQL Server
  5. How can I select the first day of a month in SQL?
  6. GROUP BY to combine/concat a column [duplicate]
  7. Select statement to find duplicates on certain fields
  8. Copy data into another table
  9. Parse comma-separated string to make IN List of strings in the Where clause
  10. How do I see active SQL Server connections?
  11. EXISTS vs JOIN and use of EXISTS clause
  12. UPDATE if exists else INSERT in SQL Server 2008 [duplicate]
  13. Can we pass parameters to a view in SQL?
  14. Why is a UDF so much slower than a subquery?
  15. Cannot use a CONTAINS or FREETEXT predicate on table or indexed view because it is not full-text indexed
  16. Alternate of lead lag function in SQL Server 2008
  17. “Order By” using a parameter for the column name
  18. UNIX_TIMESTAMP in SQL Server
  19. How can I convert a Sql Server 2008 DateTimeOffset to a DateTime
  20. SQL Server SELECT LAST N Rows
  21. The transaction log for the database is full
  22. Generate random int value from 3 to 6
  23. Add emoji / emoticon to SQL Server table
  24. How do I change db schema to dbo
  25. Why & When should I use SPARSE COLUMN? (SQL SERVER 2008)
  26. Using CASE Statement inside IN Clause
  27. Single or multiple databases
  28. SQL Unpivot multiple columns Data
  29. Parameterise table name in .NET/SQL?
  30. Call stored procedure with table-valued parameter from java

Leave a Comment