Sign in | Join
Last post 11-08-2009 12:07 AM by Naom. 2 replies.
Sort Posts: Oldest to newest Newest to oldest
Does the SQL language INTO allow for concantenation in constructing a table name using a parameter?
@tablesuffix
...... INTO tblClients + @tablesuffix
such that if @tablesuffix = 123 the INTO table name would be tblClients123
Thank you
you can use string concatenation to dynamically construct a string that represents your sql statement.
then you can EXEC that string.
for example: http://www.sqlbook.com/SQL/Dynamic-SQL-statements-16.aspx
keep in mind though that performing string concatenation like this (even in a stored proc that used parameters) opens you up to the possibility of a sql injection attack.
You can avoid the sql injection danger by using sp_executesql: http://msdn.microsoft.com/en-us/library/aa933299(SQL.80).aspx
For example: http://blogs.msdn.com/raulga/archive/2007/01/04/dynamic-sql-sql-injection.aspx
Please see this thread of how to use dynamic SQL but yet prevent a possibility of injection attack:
http://tek-tips.com/viewthread.cfm?qid=1575213&page=1