filmov
tv
Dynamic sql table name variable
Показать описание
Text version of the video
Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help.
Slides
All SQL Server Text Articles
All SQL Server Slides
All SQL Server Tutorial Videos
All Dot Net and SQL Server Tutorials in English
All Dot Net and SQL Server Tutorials in Arabic
In this video we will discuss how to pass table name dynamically for stored procedure in sql server. This is one of the sql questions that is very commonly asked.
I have a web page with a textbox. When I enter a table name in the textbox and when I click "Load Data" button, we want to retrieve data from that respective table and display it on the page.
Copy the SQL Script to create the tables from my blog using the link below
Create the following stored procedure. Notice we are passing table name as a parameter to the stored prcoedure. In the body of the stored procedure we are concatenating strings to build our dynamic sql statement. In our previous videos we discussed that this open doors for SQL injection.
Create procedure spDynamicTableName
@TableName nvarchar(100)
As
Begin
Declare @sql nvarchar(max)
Set @sql = 'Select * from ' + @TableName
Execute sp_executesql @sql
End
So the obvious question that comes to our mind is, why are we not creating parameterised sql statement instead. The answers is we can't. SQL Server does not allow table names and column names to be passed as parameters. Notice in the example below, we are creating a parameterised query with @TabName as a parameter. When we execute the following code, the procedure gets created successfully.
Create procedure spDynamicTableName1
@TableName nvarchar(100)
As
Begin
Declare @sql nvarchar(max)
Set @sql = 'Select * from @TabName'
End
Execute spDynamicTableName1 N'Countries'
Copy and paste the code from my blog in the code-behind page
At this point, run the application and type the following text in the "Table Name" textbox and click "Load Data" button. Notice "SalesDB" database is dropped. Our application is prone to SQL injection as we have implemented dynamic sql in our stored procedure by concatenating strings instead of using parameters.
Employees; Drop database SalesDB
One way to prevent SQL injection in this case is by using SQL Server built-in function - QUOTENAME(). We will discuss QUOTENAME() function in detail in our next video. For now understand that by default, this function wraps that string that is passed to it in a pair of brackets.
SELECT QUOTENAME('Employees') returns [Employees]
Modify the stored procedure to use QUOTENAME() function as shown below.
Alter procedure spDynamicTableName
@TableName nvarchar(100)
As
Begin
Declare @sql nvarchar(max)
Execute sp_executesql @sql
End
At this point, type the following text in the "Table Name" textbox and click "Load Data" button. Notice you will see a message - Invalid object name 'Employees; Drop database SalesDB'. Also "SalesDB" database is not dropped.
Employees; Drop database SalesDB
The entire text in "Table Name" textbox is wrapped in a pair of brackets by the QUOTENAME function and is treated as table name. Since we do have a table with the specified name, we get the error - Invalid object name.
Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help.
Slides
All SQL Server Text Articles
All SQL Server Slides
All SQL Server Tutorial Videos
All Dot Net and SQL Server Tutorials in English
All Dot Net and SQL Server Tutorials in Arabic
In this video we will discuss how to pass table name dynamically for stored procedure in sql server. This is one of the sql questions that is very commonly asked.
I have a web page with a textbox. When I enter a table name in the textbox and when I click "Load Data" button, we want to retrieve data from that respective table and display it on the page.
Copy the SQL Script to create the tables from my blog using the link below
Create the following stored procedure. Notice we are passing table name as a parameter to the stored prcoedure. In the body of the stored procedure we are concatenating strings to build our dynamic sql statement. In our previous videos we discussed that this open doors for SQL injection.
Create procedure spDynamicTableName
@TableName nvarchar(100)
As
Begin
Declare @sql nvarchar(max)
Set @sql = 'Select * from ' + @TableName
Execute sp_executesql @sql
End
So the obvious question that comes to our mind is, why are we not creating parameterised sql statement instead. The answers is we can't. SQL Server does not allow table names and column names to be passed as parameters. Notice in the example below, we are creating a parameterised query with @TabName as a parameter. When we execute the following code, the procedure gets created successfully.
Create procedure spDynamicTableName1
@TableName nvarchar(100)
As
Begin
Declare @sql nvarchar(max)
Set @sql = 'Select * from @TabName'
End
Execute spDynamicTableName1 N'Countries'
Copy and paste the code from my blog in the code-behind page
At this point, run the application and type the following text in the "Table Name" textbox and click "Load Data" button. Notice "SalesDB" database is dropped. Our application is prone to SQL injection as we have implemented dynamic sql in our stored procedure by concatenating strings instead of using parameters.
Employees; Drop database SalesDB
One way to prevent SQL injection in this case is by using SQL Server built-in function - QUOTENAME(). We will discuss QUOTENAME() function in detail in our next video. For now understand that by default, this function wraps that string that is passed to it in a pair of brackets.
SELECT QUOTENAME('Employees') returns [Employees]
Modify the stored procedure to use QUOTENAME() function as shown below.
Alter procedure spDynamicTableName
@TableName nvarchar(100)
As
Begin
Declare @sql nvarchar(max)
Execute sp_executesql @sql
End
At this point, type the following text in the "Table Name" textbox and click "Load Data" button. Notice you will see a message - Invalid object name 'Employees; Drop database SalesDB'. Also "SalesDB" database is not dropped.
Employees; Drop database SalesDB
The entire text in "Table Name" textbox is wrapped in a pair of brackets by the QUOTENAME function and is treated as table name. Since we do have a table with the specified name, we get the error - Invalid object name.
0:11:59
Dynamic sql table name variable
0:02:48
How To Parameterize SQL Table Names
0:11:25
Dynamic sql table name variable in arabic
0:04:27
Dynamic SQL 1 in 5 Minutes
0:03:44
SQL Dynamic Query - change database name dynamically in the SQL query
0:04:34
Databases: Parameterize table name in dynamic SQL (3 Solutions!!)
0:05:27
Dynamic Source Table | Fetching Data from Dynamic Table | Dynamic SQL Query | Use of Dynamic SQL
0:04:36
Temp tables in dynamic sql
0:02:04
Databases: variable table and column names in dynamic SQL
0:00:38
How to get COLUMN NAMES in SQL
0:01:28
SQL : Rmarkdown - Use table name as variable in dynamic sql chunk?
0:02:24
Dynamic Output Column Name | Returning Data From Dynamic Column | Use of Dynamic SQL | D-SQL
0:12:12
Dynamic SQL in SQL Server
0:01:00
SQL : How to set table name in dynamic SQL query?
0:16:51
SSIS Dynamic SQL Command
0:52:24
Real Use Case of Dynamic SQL Query | When and How to use Dynamic SQL | Application of Dynamic SQL
0:27:41
SQL Server Programming Part 13 - Dynamic SQL
0:02:15
Databases: How to make table names dynamic in SQL?
0:02:50
Dynamic DDL Command | Creating Table at Runtime | Creating database at Runtime | Use of Dynamic SQL
0:05:49
SQL Server Table Variable Example
0:01:01
SQL : How to use Table Variable in Dynamic Query
0:13:50
Dynamically Pivot Data in SQL Server
0:01:26
SQL : PostgreSQL - dynamic value as table name
0:10:48
SSIS 'Execute SQL Task' - dynamic SQL
Комментарии