Passing in a Parameter -- sql server mseq

Hugo Kornelis
4/28/2005 12:00:00 AM

[quoted text, click to view]

Hi Kunkel,

Several. And they are all described and compared at
http://www.sommarskog.se/arrays-in-sql.html

Best, Hugo
--

Kunkel
4/28/2005 3:30:02 PM

thanks for that link! it was very helpful. but after i implemented the
articles ideas, i came across this solution:

DECLARE @Var AS VARCHAR(100)
SET @Var = '''Dan'', ''Mike'', ''Lisa'''
DECLARE @SQL AS varchar(1000)

SET @SQL = 'SELECT *
FROM ORDERS
WHERE
NAME IN (' + @Var + ')'

Exec(@SQL)

[quoted text, click to view]

Hugo Kornelis
4/29/2005 12:00:00 AM

[quoted text, click to view]

Hi Kunkel,

This is dynamic SQL, and I believe that this techinique is discussed at
Erland's site as well. Please don't do this if you can avoid it. It is a
severe breach of security - you give malicious users the ability to
inject SQL.

Erland has a great article with an in-depth explanation of pros and cons
of dynamic SQL as well: http://www.sommarskog.se/dynamic_sql.html

Best, Hugo
--

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about sql server mseq

sql server mseq : Passing in a Parameter