I have the following SQL Server stored procedure:
CREATE PROCEDURE ispsDcOhcAgg #TmpTableName NVARCHAR(50), #ListItem NVARCHAR(50)
AS
IF EXISTS (SELECT name
FROM sys.tables
WHERE name = #TmpTableName)
DROP TABLE #TmpTableName; -- This will not work.
GO
This will clearly not work (see the comment in the above snippit). The only (and very ugly) way I have found to get around this problem is to do the following
CREATE PROCEDURE ispsDcOhcAgg #TmpTableName NVARCHAR(50), #ListItem NVARCHAR(50)
AS
DECLARE #SQL NVARCHAR(4000)
SET #SQL = N'IF EXISTS (SELECT name ' +
N'FROM sys.tables ' +
N'WHERE name = N' + N'''' + #TmpTableName + N''') ' +
N'DROP TABLE ' + #TmpTableName + N';'
EXEC sp_executesql #SQL;
GO
which truly stinks and for large stored procedures, it's horrendous!
Is there another way of doing this that I don't know about?
Thanks for your time.
No, if you want to use a table name dynamically like this, you need to use dynamic SQL.
So you should make sure you don't open yourself up to nasty SQL injection risks!
Try something like this:
SET #SQL = 'IF EXISTS (SELECT name ' +
N'FROM sys.tables ' +
N'WHERE name = #TableName) ' +
N'DROP TABLE ' + QUOTENAME(#TmpTableName) + ';'
EXEC sp_executesql #SQL, N'#TableName sysname', #TmpTableName;
No, if you want to determine the table to be dropped at runtime, there is no alternative to dynamic SQL.
There is a slightly less ugly way: you only use dynamic SQL for the command that needs to be dynamic (the DROP command):
DECLARE #SQL NVARCHAR(100)
IF EXISTS (SELECT name
FROM sys.tables
WHERE name = #TmpTableName)
BEGIN
SET #SQL = N'DROP TABLE ' + #TmpTableName + N';'
EXEC sp_executesql #SQL;
END
Related
How can I get the output of the below query in a variable without temp table?
DECLARE #Q1 NVARCHAR(300)
DECLARE #Q2 NVARCHAR(300)
DECLARE #Q3 NVARCHAR(300)
SET #Q1 = 'SELECT ' +' ' + #formfieldpath
SET #Q2 = 'FROM [TestDatabase].[details] WHERE id ' + '=''' + CAST(#id AS VARCHAR(10)) + '''';
SET #Q3 = #Q1 +' '+ #Q2
PRINT #Q3
EXEC sp_executesql #Q3
Tried 'How to get sp_executesql result into a variable?' and not able to get the results.
Assuming that you get a singleton value from your dynamic statement:
DECLARE #ID int, --Is set somewhere
#YourVariable nvarchar(30), --Use an appropriate data type
#formfieldpath sysname; --Is set somewhere
DECLARE #SQL nvarchar(MAX);
--I assume that the name [TestDatabase].[details] is wrong, as [TestDatabase] would be the name of the schema, not the database,
--and I ASSUME you haven't foolishy created a schema called "TestDatabase"
SET #SQL = N'SELECT #YourVariable = ' + QUOTENAME(#formfieldpath) + N' FROM dbo.Details WHERE id = #id';
--Use the correct datatype for #YourVariable
EXEC sys.sp_executesql #SQL, N'#id int, #YourVariable nvarchar(30) OUTPUT', #id, #YourVariable OUTPUT;
Never inject unsanitised values into a dynamic SQL statement. SQL injection is a huge problem that should have stopped existing over a decade ago. Dos and Don'ts of Dynamic SQL
To whoever reads this,
Basically using dynamic SQL, i am trying to create a database and then insert into it. Problem is that I cant find an alternative to 'GO' since when i run it i get an error saying the newly created DB doesn't exist. I know that it cant be used in dynamic sql as it is not recognized as T-SQL. I've also tried adding ";" but error still persists.
DECLARE #TargetDB sysname
DECLARE #TargetSchema sysname
DECLARE #TargetTable sysname
DECLARE #SourceDB sysname
DECLARE #SourceSchema sysname
DECLARE #SourceTable sysname
DECLARE #sql NVARCHAR(max)
SET #SourceDB = 'AYOOO'
SET #TargetDB = #SourceDB + 'SandBox'
SET #SourceTable = 'GUCCI'
SET #TargetTable = #SourceTable + 'SandBox'
SET #sql = N'CREATE DATABASE ' + #TargetDB + '; ' --create new db
SET #sql = #sql + N' SELECT * INTO ' + #TargetDB +'.dbo.'+#TargetTable+' FROM ' + #SourceDB+'.dbo.'+#SourceTable; --these 2 lines are for copying data into new tables
PRINT #sql
EXEC sys.sp_executesql #sql
Error:
Database 'AYOOOSandBox' does not exist.
I know its a stupid question but I'd like to find a good alternative to "GO" or a better practice for Dynamic SQL.
Thanks
After fixing your SQL to not be a huge injection issue, by properly quoting your objects, you need to separate the statements into 2 commands. Then you can CREATE your database in one command, and then INSERT in another.
DECLARE #TargetDB sysname,
#TargetSchema sysname,
#TargetTable sysname,
#SourceDB sysname,
#SourceSchema sysname,
#SourceTable sysname,
#sql nvarchar(MAX),
#CRLF nchar(2) = NCHAR(13) + NCHAR(10);
SET #SourceDB = 'AYOOO';
SET #TargetDB = #SourceDB + 'SandBox';
SET #SourceTable = 'GUCCI';
SET #TargetTable = #SourceTable + 'SandBox';
SET #sql = N'CREATE DATABASE ' + QUOTENAME(#TargetDB) + N';'; --create new db
EXEC sys.sp_executesql #sql;
SET #sql = N'SELECT *' + #CRLF +
N'INTO ' + QUOTENAME(#TargetDB) + N'.dbo.' + QUOTENAME(#TargetTable) + #CRLF +
N'FROM ' + QUOTENAME(#SourceDB) + N'.dbo.' + QUOTENAME(#SourceTable) + N';'; --copying data into new tables
EXEC sys.sp_executesql #sql;
Looking for way to create some dynamic SQL to drop a table if it exists. However I can not seem to get the syntax correct. Here is the query so far (renamed fields for security)
DECLARE #TableNameNew NVARCHAR(MAX)
DECLARE #DynamicSQL2 NVARCHAR(MAX)
SET #TableNameNew = (SELECT 'tbl1_' + REPLACE(StaffCode,'.','') AS TableName
FROM tblEmployee WHERE (PCLogin = REPLACE(SYSTEM_USER, 'DOMAIN\', '')))
SET #DynamicSQL2 = 'IF OBJECT_ID(' + '''' + #TableNameNew + '''' + +','+'''U''' + ') IS NOT NULL DROP TABLE ' + #TableNameNew
EXEC #DynamicSQL2
This returns an error:
Could not find stored procedure 'IF OBJECT_ID('tbl1_ghewitt','U') IS NOT NULL DROP TABLE tbl1_ghewitt'.
Try
EXECUTE sp_executesql #DynamicSQL2
instead of
EXEC #DynamicSQL2
Using MS SQL2000 at present if that makes any difference.
Is there a better way than the method below to be able to programatically access a table ?
declare #tableName as varchar(50)
declare #sql varchar(4000)
set #tableName = 'User'
print #tableName
If EXISTS(
select TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE table_name = ''+#TableName+''
)
BEGIN
set #sql = 'select * from [' + #tableName + ']'
exec(#sql)
end
Essentially Im trying to create a simple Mapping tool for CRUD operations so that I need only one Sproc for each operation, and I can pass in my parameterised object, a table name and let the database do the rest. This is purely for my own personal education, hence why Im not using an established framework, so if there are any major gotcha's with my idea or the code above, I'd appreciate knowing as well.
Thanks
This is complete example to create a SP by follow your initial code:
CREATE PROCEDURE dbo.CustomSelect (#tableName as varchar(50))
AS
SET NOCOUNT ON
DECLARE #sql varchar(4000)
If EXISTS(
select TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE table_name = #tableName
)
BEGIN
set #sql = 'select 1 as Found, * from [' + #tableName + ']'
exec(#sql)
END
ELSE
BEGIN
select 0 as Found
END
This SP always return a recordset so you can check the value of the field FOUND to know if the table exist or not
usage:
EXEC CustomSelect 'User'
Hope it helps
I have a query that is dynamically fetching the stored proc names from all the databases.
Now I want to execute the stored procs and store the result in a temptable or table variable.
How to do that. Here is my SP so far
Declare #GetDBNames sysname
Declare #DynSql nvarchar(max)
Declare DBNames cursor for
Select '['+name+']' from master.dbo.sysdatabases
open DBNames
FETCH NEXT FROM DBNames into #GetDBNames
WHILE ##FETCH_STATUS=0
BEGIN
SET #DynSql = '
Select Specific_Catalog as Database_Name, Routine_Name as ''Stored Procedure Name''
From '+ #GetDBNames+'.Information_Schema.Routines '
EXEC (#DynSql)
FETCH NEXT FROM DBNames into #GetDBNames
END
Close DBNames
Deallocate DBNames
Please help.
Thanks in advance
Here's my soluton. Cursors are evil :)
Declare #DynSql nvarchar(max)
declare #result table ([Database_Name] nvarchar(128), [Stored Procedure Name] sysname)
SET #DynSql = ''
select #DynSql = #DynSql + '
Select SPECIFIC_CATALOG COLLATE DATABASE_DEFAULT as Database_Name, ROUTINE_NAME COLLATE DATABASE_DEFAULT as [Stored Procedure Name]
From ' + NAME + '.INFORMATION_SCHEMA.ROUTINES' + CHAR(13) + 'union all' + CHAR(13)
from master.dbo.sysdatabases
--remove last "union all"
SET #DynSql = left(#DynSql, LEN(#DynSql) - 10)
insert #result
exec sp_executesql #DynSql
select * from #result
INSERT [TableName] EXEC (#DynSql)
Note that if you introduce data you may want to use sp_ExecuteSQL, and you probably want to use [/] object-name escaping.