How to set table name in dynamic SQL query?
To help guard against SQL injection, I normally try to use functions wherever possible. In this case, you could do: … SET @TableName=”<[db].><[schema].>tblEmployees” SET @TableID = OBJECT_ID(TableName) –won’t resolve if malformed/injected. … SET @SQLQuery = ‘SELECT * FROM ‘ + OBJECT_NAME(@TableID) + ‘ WHERE EmployeeID = @EmpID’