Thanks for your time, is there a way to execute the create database part of the statement before the use database name?
I guess I could create 2 set and execute statements but there must be a better way ?
CREATE PROCEDURE [dbo].[Master]
#DBNAME NVARCHAR(50)
AS
DECLARE #CODE NVARCHAR(MAX)
SET #CODE = 'CREATE DATABASE '+#DBNAME+'; USE '+#DBNAME
EXEC SP_Executesql #CODE
Thanks in advance
Related
I want to use the value from variables that is passed into the stored proc. Is that allow?
For example, I want to pass CID=5,SID=4 Into an Update Stored Proc
and it looks like this:
CREATE PROCEDURE Update #CID nvarchar(4),#SID nvarchar(4)
AS
DELETE FROM [User"+#CID+#SID+"]
GO;
In which is like "DELETE FROM [User54]"
But I want to dynamically done given the parameter
Can it be done and how is it done?
Thanks
You must use dynamic SQL. To do it safely, ensure the created object name is properly delimited using the quotename function.
Like this:
CREATE OR ALTER PROCEDURE UpdateSomeTable #CID nvarchar(4), #SID nvarchar(4)
AS
begin
declare #tableName nvarchar(500) = quotename(concat('User',#CID,#SID));
declare #sql nvarchar(max) = concat('DELETE FROM ',#tableName);
--print #sql
exec sp_executesql #sql
end
I am new to sql. I would like to ask what should I do when I will create a database using a stored procedure.
I usually do this to create database: create databse db_mydatabase
a database name db_mydatabse will be created.
Question: how will I able to create a database using stored procedure?
Use this
create procedure sp_create_db #name nvarchar(500)
as
begin
declare #sql nvarchar(max);
set #sql='CREATE DATABASE '+#name;
EXECUTE(#sql)
end
The caller of the procedure who is in database AAA:-
use AAA
exec BBB.dbo.ap_MyProc
The procedure being called which is in database BBB:-
use BBB
create procedure ap_MyProc as
print 'We want a way to return the database name AAA'
Any advice would be appreciated.
Well i can now answer my own question. We can exploit syslockinfo...
declare #db_name varchar(255)
select
#db_name = db_name(rsc_dbid)
from
master.dbo.syslockinfo
where
req_spid = ##SPID
and req_ownertype = 4 --"exSession"
and rsc_dbid <> db_id()
select #db_name = isnull(#db_name, db_name())
print #db_name
Works in SQL 2008 as well. :)
Can your stored procedure be edited? If yes, I think you can edit the stored procedures and add one more parameter for the database name.
And during calling the stored procedure, you should pass the db_name() into the new parameter, so that your stored procedure could know which database is calling it
DECLARE #ServerName varchar(50) = db_name()
EXEC [dbo].[SP] #newParams = #ServerName
I wanted to create a table using dynamic SQL.
If I creates a table using
CREATE Table TodayTemp(id varchar(20))
DROP TABLE TodayTemp
Then there is no problem. It works fine. But problem using this is I can't create columns dynamically. Hence I tried using store create script in a variable and then finally execute them using EXEC command.
Like
Declare #CreateTableCmd varchar(max)
SET #CreateTableCmd = 'CREATE Table TodayTemp(id varchar(20))'
Exec #CreateTableCmd
But this causes an error
Msg 2812, Level 16, State 62, Line 6
Could not find stored procedure 'CREATE Table TodayTemp(id varchar(20))'.
Add parentheses around your variable when executing
Declare #CreateTableCmd varchar(max)
SET #CreateTableCmd = 'CREATE Table TodayTemp (id varchar(20))'
Exec (#CreateTableCmd)
^---------------^--------here
SQLFiddle demo
if you want to exec your script with exec, call it like this:
Exec (#CreateTableCmd)
Another way to do this is to use sp_executesql stored procedure:
exec sp_executesql #stmt = #CreateTableCmd
there're many links comparing this two approaches:
https://dba.stackexchange.com/questions/4559/difference-between-exec-and-sp-executesql-with-no-parameters
http://www.sqlskills.com/blogs/kimberly/exec-and-sp_executesql-how-are-they-different/
Declare #CreateTableCmd varchar(max)
SET #CreateTableCmd = 'CREATE Table TodayTemp'
Exec (#CreateTableCmd)
That should do the trick
Raj
I want to parametrize my stored procedure's input to prevent sql injection. The problem is MY database has no application(It's just for school) & as there's no client language like C# etc, I have to do it with sql itself. i did this
ALTER procedure [dbo].[drop_tt]
#ss varchar(40)
as
EXEC sp_executesql N'SELECT *
FROM tt
whERE ss = #Ss', N'#ss varchar(40)', #ss
but when I execute this statement the tt table was droped :(
exec drop_tt 'www';drop table tt--'
anyone can help?
In short: why are you altering sp? you just need to create a parametrized stored procedure like:
CREATE PROCEDURE uspGetAddress #City nvarchar(30)
AS
SELECT *
FROM AdventureWorks.Person.Address
WHERE City = #City
GO
Just look at this very simple tutorial , you don't need to alter your procedures.
Edit: my approach would be to get rid off the statement EXEC sp_executesql and naming that starts with drop. Just try to simplify your stored procedure execution statement in the body.