I was writing some code to check out the check_constraints of tables spread out accross multiple DBs in a partitioned viewMy idea was to use a parameterized query.Turns out you cannot use parameters for object names.Is this correct or is there another way to do this?Something to do with SQL Injection? (No fear of)Also, is it no longer necesseay to use + in dynamic SQL? (See test 4)[code="sql"]DECLARE @SQL NVarchar(1000), @DBName NVarchar(50), @CKName NVarchar(50), @Tbl NVarchar(50)SET @DBName = 'Master'SET @CKName = 'FakeName'SET @Tbl = 'Check_Constraints'-- 1: WorksSET @SQL = 'SELECT * FROM ' + @DBName + '.sys.Check_Constraints'EXEC (@SQL)-- 2: WorksSET @SQL = 'SELECT * FROM ' + @DBName + '.sys.Check_Constraints WHERE Name = ''@CK'''EXEC sp_ExecuteSQL @Stmt = @SQL, @Parms = N'@CK NVarchar(50)', @CK = @CKName-- 3: WorksSET @SQL = 'SELECT * FROM ' + @DBName + '.sys.Check_Constraints WHERE Name = @CK'EXEC sp_ExecuteSQL @Stmt = @SQL, @Parms = N'@CK NVarchar(50)', @CK = @CKName-- 4: Works ?? Same as WHERE Name = ''' + @CKName + '''' ??SET @SQL = 'SELECT * FROM ' + @DBName + '.sys.Check_Constraints WHERE Name = ''@CKName'''EXEC sp_ExecuteSQL @Stmt = @SQL, @Parms = N'@CK NVarchar(50)', @CK = @CKName-- 5: Doesn't workSET @SQL = 'SELECT * FROM ' + @DBName + '.sys.Check_Constraints WHERE Name = @CKName'EXEC sp_ExecuteSQL @Stmt = @SQL, @Parms = N'@CK NVarchar(50)', @CK = @CKName/*Msg 137, Level 15, State 2, Line 1Must declare the scalar variable "@CKName".*/-- 6: Doesn't workSET @SQL = N'SELECT * FROM Master.sys.@Tbl2 WHERE Name = @CK2'EXEC sp_ExecuteSQL @Stmt = @SQL, @Params =N'@Tbl2 NVarchar(50), @CK2 NVarchar(50)', @CK2 = @CKName, @Tbl2 = @Tbl/*Msg 102, Level 15, State 1, Line 1Incorrect syntax near '@Tbl2'.*/-- 7: Doesn't workSET @SQL = N'SELECT * FROM @DBName2.sys.Check_Constraints'EXEC sp_ExecuteSQL @Stmt = @SQL, @Params =N'@DBName2 NVarchar(50)', @DBName2 = @DBName/* ErrorMsg 102, Level 15, State 1, Line 1Incorrect syntax near '.'.*/[/code]Thanks
↧