Stored procedure

Hot Topic

merge replication problem ; very urgent
How can I make a Matrix Transposition in SQL ?
Are report parameters cached in the report server?
How to caculate result throw time range using the cubes?
Sql date substract question
WSUS install does not local SQL 2K SP4 Installation
URGENT ERROR PLEASE HELP US.
SQL 2005 SP woes
Remote Connection problem on MS SQL 2000
Excel pivot table

SQL Server

Sql server express 2005
how would you design this query better ( does not contain lots of code)
Management Studio slow?
Implementing message queue in SQL Server 2000
KPI - Sales Trend
MSSQL2005 SP1 setup
Developers cannot execute sp_addmessage
DSO in SQL2005
Dummy dimension for passing parameters
Copying a cube but using a different data source

Stored procedure

Hi every body

when i ran this code in sql server 2005

"use test

go

create proc testProc @s nvarchar(100),

@t nvarchar(100)

As

begin

select @s from @t

end

go"

i encountered this error message

"Incorrect syntax near '@t'."

what is wrong in my code

by thanks

Javaneh

Answer this question

Stored procedure

  • -Codeman-

    so thanks friends

    I'll try them

    thanks again for your guidances

  • Mike Husar

    This particular example doesn't protect against SQL injection attack. So you need to be very careful using such approaches. And as far as possible use sp_executesql instead of EXEC since it gives parameterization capability and better plan caching/reuse. Additionally for object names that you take as input from end user you should use QUOTENAME to protect against injection attacks before forming the SELECT string. So in example above you would do:
    declare @tbl nvarchar(200), @sql nvarchar(4000)
    set @tbl = quotename(@t)
    set @sql = N'select x from ' + @tbl
    exec sp_executesql @sql


  • MarksmanWaugh

    Hi Roji

    so thanks for your help

    I got it


  • Paulaps

  • ramexx

    Hi

    You need to constract a string that can be executed by EXEC . Replace your

    select @s from @t

    with

    EXEC ('select ' + @s + ' from ' + @t )

    NB.
  • Stored procedure
Answer this question