tags:

views:

141

answers:

3
+1  Q: 

SQL Update columns passing into the query the column name and value

Hi,

I have the following code:

UPDATE myTable
SET    Col1 = @Value

However, I have a table that has over a 100 columns and want to be able to specify a column name by passing the name into the query similar to:

UPDATE myTable
SET    @ColName = @Value

When I do this I get an error. Is there a good solution to this? Its probably something simple!

Thank you in advanced.

+2  A: 

You'd have to revert to dynamic SQL to do this.

IronGoofy  2009-10-27 12:23:56
+6  A: 

You'll have to use dynamic SQL, and write it to make sure you don't let Little Bobby Tables in. Something like this:

DECLARE @sql NVARCHAR(500)
SET @sql = N'UPDATE myTable SET ' + QUOTENAME(@colName) + ' = @pUpdateVal'
EXEC sp_ExecuteSQL @sql, '@pUpdateVal NVARCHAR(20)', @value

Make sure you change the type of @pUpdateVal to something appropriate for your environment, but this will mitigate the risk of injection attacks.

Chris J  2009-10-27 12:29:49
+1 for using the parameter
Raj More  2009-10-27 12:50:51
Shouldn't it just be UPDATE myTable?
CodeByMoonlight  2009-10-27 12:52:59
@CodeByMoonlight ... yes :-) Fixed.
Chris J  2009-10-27 12:59:26
thanks, for everyone's comments and answers. I created a Stored Procedure using dynamic SQL and worked a treat.
Belliez  2009-10-27 14:49:14
+1  A: 

Agreed with the others, you'll need dynamic SQL for this; you can't define object names at run time in native SQL. For a full discussion on dynamic SQL see http://www.sommarskog.se/dynamic%5Fsql.html

Aaron Bertrand  2009-10-27 12:48:26

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP