Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
karthikeyan2004k
Starting Member
5 Posts |
 Posted - 2012-05-08 : 05:48:39
|
| Hi this is a piece of my SPI used following to get the exec(query) value but i can't able to get,pls clear me regarding this declare @remind_Date varchar(50);declare @remindResult varchar(max);set @remind_Date='Reminder_'+@today_datename;set @remindResult='select '+@remind_Date+ ' from tblReminder_Child where ID= '+ @ID;set @intVal= exec(@remindResult);Thanks in advancekarthikeyan.r |
|
|
khtan
In (Som, Ni, Yak)
17689 Posts |
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2012-05-08 : 06:24:42
|
| And if you don't read the link... Let be give you the salient points.Your code is dangerous. It is totally open to SQL injection.I see that you are concatenating the @ID variable to a string, this means it's a varchar? What if you are passed the @ID values of '0; DROP TABLE tblReminder_Child; --'What you should be asking is: "How do I change this design?"What does the tblReminder_Child table look like? Does it *really* have a column for every possible 'Reminder_'+@today_datename' combo?Why not have a normalized design instead?A better question for us would be to describe the current db design (for this case) and then talk about how to make it better/safer/quickerCharlie===============================================================Msg 3903, Level 16, State 1, Line 1736The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION |
 |
|
|
|
|
|
to Retreive exec(query ) value