Flexible Insert STORED PROCEDURE

Question

1.00/5 (1 vote)

See more:

SQL-Server-2008

my stored

SQL

alter PROCEDURE [dbo].[InsertDynamicFun] 
@TblName nvarchar(max),@F1 nvarchar(50),@F2 nvarchar(50),@F3 nvarchar(50),@F4 nvarchar(50) ,
@P1 nvarchar(50),@P2 nvarchar(50),@P3 nvarchar(50),@P4 nvarchar(50) 
AS BEGIN
 declare @TAblE nvarchar(max);

set @TAblE = 'Insert Into ' + @TblName + '('+@F1+','+@F2+','+@F3+','+@F4+')Values ('+@P1+','+@P2+','+@P3+','+@P4+')' exec(@TAblE) 
END

Display Error Msg 207, Level 16, State 1, Line 3 Invalid column name 'Value of @P2'. Msg 207, Level 16, State 1, Line 3 Invalid column name 'Value of @P3'. Msg 207, Level 16, State 1, Line 3 Invalid column name 'Value of @P4'.

but @P1 Did not show her fault I want to save the data in any table by pass The Parameter to stored PROCEDURE and Taking into account the numeric fields

Posted 17-Sep-14 0:14am

alhlwany.it

Add a Solution

Comments

Kornfeld Eliyahu Peter 17-Sep-14 6:19am

You may add print @table to your code to see actual SQL query to be executed...

Richard Deeming 17-Sep-14 7:48am

Congratulations - you've just clearly demonstrated the stored procedures don't automatically protect you from SQL Injection[^] vulnerabilities.

Madhuri Gamane 17-Sep-14 8:39am

are you assigning insert to varchar ??
and is there no need of table creation ?

2 solutions

Solution 1

set @TAblE = 'Insert Into ' + @TblName + '('+@F1+','+@F2+','+@F3+')Values ('''+@P1+''','''+@P2+''','''+@P3+''')'

Can you try with this line in place of your.

Posted 17-Sep-14 1:55am

Jitendra Ku. Sahoo

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2014-09-17T02:09:00

It doesn't make a lot of sense to do this - a direct INSERT query would be easier to code.

However, if you're going to use this approach, you need to do two things:

Validate the table and column names before creating your query;
Use sp_executesql[^] to pass the parameters to the query, avoiding SQL Injection[^];

SQL

ALTER PROCEDURE [dbo].[InsertDynamicFun] 
    @TblName sysname, @F1 sysname, @F2 sysname, @F3 sysname, @F4 sysname,
    @P1 nvarchar(50), @P2 nvarchar(50), @P3 nvarchar(50), @P4 nvarchar(50) 
AS 
BEGIN
DECLARE @TableObjectID int;
DECLARE @Statement nvarchar(max), @ParameterDefinition nvarchar(max);
    
    -- Verify that the table exists, and get the full name:
    -- TODO: Restrict the tables which can be used.
    SELECT
        @TableObjectID = object_id,
        @TblName = QUOTENAME(S.name) + '.' + QUOTENAME(T.name)
    FROM
        sys.tables As T
        INNER JOIN sys.schemas As S
        ON S.schema_id = T.schema_id
    WHERE
        name = @TblName
    ;
    
    If @@ROWCOUNT = 0
    BEGIN
        RAISERROR('Table "%s" does not exist.', 16, 1, @TblName);
        Return;
    END;
    
    -- Validate that the first column exists:
    SELECT
        @F1 = QUOTENAME(name)
    FROM
        sys.columns
    WHERE
        object_id = @TableObjectID
    And
        name = @F1
    ;
    
    If @@ROWCOUNT = 0
    BEGIN
        RAISERROR('Table "%s" does not contain a column called "%s".', 16, 1, @TblName, @F1);
        Return;
    END;
    
    -- Validate that the second column exists:
    SELECT
        @F2 = QUOTENAME(name)
    FROM
        sys.columns
    WHERE
        object_id = @TableObjectID
    And
        name = @F2
    ;
    
    If @@ROWCOUNT = 0
    BEGIN
        RAISERROR('Table "%s" does not contain a column called "%s".', 16, 1, @TblName, @F2);
        Return;
    END;
    
    -- Validate that the third column exists:
    SELECT
        @F3 = QUOTENAME(name)
    FROM
        sys.columns
    WHERE
        object_id = @TableObjectID
    And
        name = @F3
    ;
    
    If @@ROWCOUNT = 0
    BEGIN
        RAISERROR('Table "%s" does not contain a column called "%s".', 16, 1, @TblName, @F3);
        Return;
    END;
    
    -- Validate that the fourth column exists:
    SELECT
        @F4 = QUOTENAME(name)
    FROM
        sys.columns
    WHERE
        object_id = @TableObjectID
    And
        name = @F4
    ;
    
    If @@ROWCOUNT = 0
    BEGIN
        RAISERROR('Table "%s" does not contain a column called "%s".', 16, 1, @TblName, @F4);
        Return;
    END;
    
    
    -- Build the query to execute.
    -- By using sp_executesql, the parameters can be passed as parameters.
    -- We still have to use string concatentation for the table and column names,
    -- but since we've validated the names above, this should be OK.
    
    SET @Statement = N'INSERT INTO ' + @TblName + N' (' + @F1 + N', ' + @F2 + N', ' + @F3 + N', ' + @F4 + N') VALUES (@P1, @P2, @P3, @P4)';
    SET @ParameterDefinition = N'@P1 nvarchar(50), @P2 nvarchar(50), @P3 nvarchar(50), @P4 nvarchar(50)';
    EXEC sp_executesql @Statement, @ParameterDefinition, @P1, @P2, @P3, @P4;
END