Re: what is wrong with this stored procedure?
From: Hugo Kornelis (hugo_at_pe_NO_rFact.in_SPAM_fo)
Date: 12/03/04
- Next message: Hugo Kornelis: "Re: How to model Enumeration's in a Table"
- Previous message: Cristian Babu: "Re: Field Exists"
- In reply to: Robert Davis: "Re: what is wrong with this stored procedure?"
- Next in thread: David Gugick: "Re: what is wrong with this stored procedure?"
- Reply: David Gugick: "Re: what is wrong with this stored procedure?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 03 Dec 2004 10:11:42 +0100
On Thu, 2 Dec 2004 08:07:06 -0800, Robert Davis wrote:
>I would suggest following Aaron's advice, but just wanted to throw out
>another alternative. You could execute the query dynamically:
Hi Robert,
That would be extremely dangerous!
>CREATE PROCEDURE SP_CheckStatus2
> @mylist varchar(1000)
>as
>Declare @SQL varchar(2000)
>Set @SQL = 'select name, emailname from tbl_person where name in (' +
>@mylist + ') or emailname in (' + @mylist + ')'
>
>Exec(@SQL)
>GO
Just try what happens if you call this procedure as follows:
CALL SP_CheckStatus2 '''Jerry'', ''Tom''); DROP TABLE tbl_person; --'
(Hint: change Exec to print first)
http://www.sommarskog.se/dynamic_sql.html
Also (to the OP): you should not start your procedure names with sp_; this
name gets special treatment from SQL Server.
Best, Hugo
-- (Remove _NO_ and _SPAM_ to get my e-mail address)
- Next message: Hugo Kornelis: "Re: How to model Enumeration's in a Table"
- Previous message: Cristian Babu: "Re: Field Exists"
- In reply to: Robert Davis: "Re: what is wrong with this stored procedure?"
- Next in thread: David Gugick: "Re: what is wrong with this stored procedure?"
- Reply: David Gugick: "Re: what is wrong with this stored procedure?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
