tags:

views:

29

answers:

1
Q: 

how to solve parameter in sp_executesql

Hi,

I have the following query:

create proc [dbo].GetCustById
as
DECLARE @sql nvarchar(500)
DECLARE @Param  nvarchar(200)
SET @sql = 'select @columnName from customer where custId = @custId'
SET @Param = N'@columnName varchar(10), @custId int'

EXEC sp_executesql @sql, @Param , @columnName = 'Address1', @custId = '42'

But it always return a string "Address1" instead of the value of Address1 column. Anyone can help?

thanks

+1  A: 

A parameter is immediately escaped based on the data type--that's why you're getting the value "Address1" returned rather than the actual value for the column.

Submit the column name not as a parameter, but as a concatenated string:

DECLARE @sql nvarchar(500)
DECLARE @Param  nvarchar(200)
SET @sql = 'select '+ @columnName +' from customer where custId = @custId'
SET @Param = N'@custId int'

EXEC sp_executesql @sql, @Param , @custId = 42

Read more about the behavior here.

The only other alternative I'm aware of requires that you use decision logic to redirect to a query where the column name is statically defined:

IF @columname = 'Address1' 
BEGIN

  SET @sql = 'select Address1 from customer where custId = @custId'

END
OMG Ponies  2010-10-06 02:26:40
the reason i cannot make it as concetenate string is because due to security policy. this will open to sql injection!
 2010-10-06 02:34:23
@user384080: then you are out of luck. You cannot directly parametrise a column name without doing as OMG suggests.
Mitch Wheat  2010-10-06 02:38:06
well.. there has to be a better way in doing this out there.. it'll be more than "out of luck" if my app is open to sql injection!
 2010-10-06 02:42:06
wrong sql injection syntax.. try this: "top 1 * from customer ;drop table customer --"
 2010-10-06 02:52:49
@user384080: Better example: "'''a'';drop table customer --'", because people are unlikely to know the actual table.
OMG Ponies  2010-10-06 02:58:30
haha.. imagine if the table has 20 columns then i will end up with 20 if statements? well.. if it's only 20 columns, what happens if more?
 2010-10-06 03:04:59
@user384080: I've never worked on an app that needed to fetch single, isolated columns for a particular entity at a time. We'd fetch the entire entity/object, and refresh that as needed.
OMG Ponies  2010-10-06 03:11:43
we actually need to pull out an image (binary) from the table and there are 10 image columns. Due to performance issue we cannot pull out all of 10 image columns so we need to prompt the user which image that they wish to load.
 2010-10-06 03:35:07
anyway.. thanks for ur helps and suggestion.. still looking for the alternative way of doing this out there.
 2010-10-06 03:35:44
@user384080: Filestream isn't any help? The query would work better if there weren't individual columns for the files. If there was an additional column to indicate which of the 10/etc images to grab....
OMG Ponies  2010-10-06 03:36:13
 2010-10-06 04:04:34

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?