Scribd
Upload
69 views2 pages

The EXEC Command and Dynamic SQL

dynamic sql

Uploaded by

user1230
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
69 views2 pages

The EXEC Command and Dynamic SQL

dynamic sql

Uploaded by

user1230
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Chapter xx - Dynamic SQL

DYNAMIC SQL

The EXEC Command and Dynamic SQL

We’ve already seen that you can use EXEC to run a stored procedure. However, you can also use
the same command to run any valid SQL enclosed in parentheses:

This command will execute the stored procedure called spSimple


CREATE PROC spSimple which we’ve just created, and hence list the certificates.
AS
-- list all the certificates
SELECT * FROM [Certificate] However, you could have done the same thing by executing the
statement in brackets and quotation marks.
GO
-- run this procedure -- list out all of the certificates
EXEC spSimple EXEC('SELECT * FROM [Certificate]')

Wise Owl’s Hint


Dynamic SQL involves building up a valid SQL command to run, and then executing it using the EX

Why not to Use Dynamic SQL

Purists programmers wouldn’t touch dynamic SQL with a bargepole. Here’s why:

Problem Explanation
SQL injection If you build up a long SQL statement to execute, how do you know what it’s going to
do? This is especially the case when the statement is getting parameters from a
website. Malicious users frequently try to input semi-colons into web forms, hoping to
end your SQL statement being built up behind the scenes and begin their own!
Syntax Because the SQL statement you’re constructing is in a text string, there’s no way that
Management Studio can parse it to check that it makes sense.
Speed For the same reason, SQL Server can’t optimise SQL contained in a text string, as it
would do for the same query normally.

Wise Owl’sAdvanced
Hint Hint

You can mitigate to some extent all these disadvantages by using sp_executesql to run your dyna

© Copyright 2022 Page 1


Chapter xx - Dynamic SQL

Example –Parameterising Row Selection

The procedure below allows you to run any select command against any table:

This procedure takes the following 3 parameters:


CREATE PROC spSelectAnything(
@TableName varchar(100), Parameter What it
@ColumnNames varchar(max),
@SortColumnName varchar(100) @TableName The name of the table from
) which you want to select data.
AS @ColumnNames The columns from this table
you want to display.
@SortColumnNam The name of the column you
-- this procedure uses dynamic SQL e want to sort by
-- to select any columns
-- from any table in any order!
-- string variable to hold SQL The procedure builds up a text string. Suppose that you
-- command we'll accumulate run this procedure with these 3 arguments:
DECLARE @sql VARCHAR(MAX) = -- list out genres
'SELECT ' + EXEC spSelectAnything
@ColumnNames + @TableName='Genre',
' FROM ' + @ColumnNames = 'GenreID,Genre',
@TableName + @SortColumnName='Genre'
' ORDER BY ' +
@SortColumnName Then this debug line will show the SQL command about
-- for debug, show value of this to be executed:
-- text variable
SELECT @sql

-- run it!
EXEC(@sql)

Finally, the procedure executes the command which it’s painstakingly built up to
show the list of genres in genre name order:

© Copyright 2022 Page 2

You might also like