tags:

views:

384

answers:

4
+3  Q: 

TSQL 'Invalid column name' error on value of sproc parameter

here's my code:

DECLARE @SQL varchar(600)

SET @SQL = 
'SELECT     CategoryID, SubCategoryID, ReportedNumber
FROM    tblStatistics
WHERE   UnitCode = ' + @unitCode +
' AND   FiscYear = ' + @currYEAR

EXEC (@SQL)

When i run this sproc with unitCode = 'COB' and currYEAR = '10', i get the following error:

Invalid column name 'COB'.

Does anyone know why?

thx!

+5  A: 

You need to put quotes around the values in the SQL:

'SELECT     CategoryID, SubCategoryID, ReportedNumber
FROM    tblStatistics
WHERE   UnitCode = ''' + @unitCode +
''' AND   FiscYear = ''' + @currYEAR + ''''
Mark Byers  2010-03-18 19:39:04
thank you! that makes sense now
Daria  2010-03-18 20:08:30
+6  A: 

That's a nice SQL injection vulnerability there.

Start by rewriting it this way, using bind parameters:

DECLARE @SQL nvarchar(4000)

SET @SQL =
    'SELECT CategoryID, SubCategoryID, ReportedNumber ' +
    'FROM tblStatistics ' +
    'WHERE UnitCode = @UnitCode ' +
    'AND FiscYear = @CurrYear'

EXEC sp_executesql
    @SQL,
    '@UnitCode varchar(10), @CurrYear int',
    @UnitCode = 'COB',
    @FiscYear = 10
Aaronaught  2010-03-18 19:39:06
i'm doind sql injection tests elsewhere, but thank you!
Daria  2010-03-18 20:10:09
@Daria: What? You don't do SQL injection "tests", you design your scripts and code to prevent it in the first place. The code you posted is a SQL injection vulnerability - period. This is the *only* correct way to write dynamic SQL with parameters, and it will solve your error here at the same time.
Aaronaught  2010-03-18 20:48:07
+3  A: 

You don't have quotes inside your quotes - SQL essentially sees 

WHERE UnitCode = COB

and COB must not be a column. But why are you building the SQL this way? Why not

SELECT CategoryID, SubCategoryID, ReportedNumber
  FROM tblStatistics
 WHERE UnitCode = @unitCode
   AND FiscYear = @currYear
n8wrl  2010-03-18 19:39:22
Correct you do not need to write dynamic sql just to pass parameters to your select statement inside of a stored procedure.
Joe Pitz  2010-03-18 19:45:01
that's not my complete code, just an example to get across my error issue. i do have a good reason for making it dynamic. thanks!
Daria  2010-03-18 20:11:25
+2  A: 

If we can assume that UnitCode is a VARCHAR field you'd have to add quotes around the @unitcode variable.

DECLARE @SQL varchar(600) 

SET @SQL =  
'SELECT     CategoryID, SubCategoryID, ReportedNumber 
 FROM    tblStatistics 
 WHERE   UnitCode = ''' + @unitCode + ''''
' AND   FiscYear = ' + @currYEAR 

EXEC (@SQL)
Lieven  2010-03-18 19:39:28
You're adding quotes, not parentheses... I've heard a million other people use the wrong word there before :P
Timothy Khouri  2010-03-18 19:58:17
@Timothy Khouri - lol. Thank you for the correction.
Lieven  2010-03-19 07:36:26

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?