ansaurus

Question

How do I paramaterise a T-SQL stored procedure that drops a table?

Answer 1

A:

You'll have to use EXEC to execute that query as a string. In other words, when you pass in the table name, define a varchar and assign the query and tablename, then exec the variable you created.

Edit: HOWEVER, I don't recommend that because someone could pass in sql rather than a TableName and cause all kinds of wonderful problems. See Sql injection for more information.

Your best bet is to create a parameterized query on the client side for this. For example, in C# I would do something like:

// EDIT 2: on second thought, ignore this code; it probably won't work
SqlCommand sc = new SqlCommand();
sc.Connection = someConnection;
sc.CommandType = Command.Text;
sc.CommandText = "drop table @tablename";
sc.Parameters.AddWithValue("@tablename", "the_table_name");
sc.ExecuteNonQuery();

Michael Todd 2009-07-09 01:07:42

Thanks Michael.

dave 2009-07-09 01:14:57

Honestly, if the INTENDED purpse of the stored proc is to drop an arbirary table passed in, how much worse could a SQL Injecion attack be? I mean, why bother escaping a sring if youcan DROP ANY TABLE IN THE DB with no hack required?

JohnFx 2009-07-09 01:59:41

Hmmm...good point. Hadn't though of that.

Michael Todd 2009-07-09 02:59:32

And, by the way, this (http://stackoverflow.com/questions/1105643/help-production-db-was-sql-injected) is why you need to worry about Sql injection.

Michael Todd 2009-07-09 18:24:17

Answer 2

+3 A:

You should be able to use dynamic sql:

declare @sql varchar(max)
if exists (select name from sysobjects where name = @TableName)
BEGIN
   set @sql = 'drop table ' + @TableName
   exec(@sql)
END

Hope this helps.

Update: Yes, you could make @sql smaller, this was just a quick example. Also note other comments about SQL Injection Attacks

Wayne 2009-07-09 01:09:40

Thanks Wayne - worked fine.

dave 2009-07-09 01:15:38

Make @SQL nvarchar(max) since table names are nvarchar. (Actually sysname, but equivalent to nvarchar(some number, 128 maybe?)

Shannon Severance 2009-07-09 01:26:05

You should also escape @TableName for square brackets. SQL Server has a command that does this for you. Set @sql = 'drop table ' + QuoteName(@TableName);

Chris Nielsen 2009-07-09 13:53:03

Answer 3

+1 A:

Personally I would be very wary of doing this. If you feel you need it for administrative purposes, please make sure the rights to execute this are extremely limited. Further, I would have the proc copy the table name and the date and the user executing it to a logging table. That way at least you will know who dropped the wrong table. You may want other protections as well. For instance you may want to specify certain tables that cannot be dropped ever using this proc.

Further this will not work on all tables in all cases. You cannot drop a table that has a foreign key associated with it.

Under no circumstances would I allow a user or anyone not the database admin to execute this proc. If you havea a system design where users can drop tables, there is most likely something drastically wrong with your design and it should be rethought.

Also, do not use this proc unless you have a really, really good backup schedule in place and experience restoring from backups.

HLGEM 2009-07-09 13:48:44

These are all excellent points. My situation is such that these are not a concern. We have a production database which is copied overnight to form our reporting database. We run reports against this copy to produce tables with derived data (and no foreign keys). We only delete these derived tables. But if we accidentally trash something it doesn't matter.

dave 2009-07-09 22:43:14

ansaurus

tags:

views:

answers:

How do I paramaterise a T-SQL stored procedure that drops a table?

related questions