Hi,
I have a complex SQL query against multiple tables that ideally would be best used as a stored procedure.
I know of and have read about creating named parameters and setting the parameters' values in ASP just before issuing an execute command via the Command object. What I'd like to do is assign the text of the filter and sort clauses to the parameters. Not the values, but the entire string, such as
"WHERE lastname LIKE 'A%' "
"ORDER BY lastname "
I need to assign the entire clause because the query may or may not use a particular clause.
I have experimented. However SQL treats the parameter as a literal string rather than part of the SQL query itself. Is there another technique that I may use to accomplish my goal?
Thanks in advance for your opinion, suggestion, criticism, etc.
--Tom.Dynamic SQL|||and look up SQL Injection
DECLARE @.SQL varchar(8000)
SELECT @.SQL = 'SELECT * FROM INFORMATION_SCHEMA'
EXEC(@.SQL)
You should use dynamic as a last reort...
What prob you trying to solve?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment