Dynamic SQL stored procedure and datetime

Question

I have a simple query that I want to convert to dynamic SQL. I have 2 input parameters: a table and a datetime. And the output is the rowcount for the table and this specific datetime. I tried different solutions. I tried the query with execute sp_executesql, I tied to add the the ''' before and after the @P_LOAD_DATE. I

Accepted Answer

You need to properly and safely inject your dynamic object name and parametrise your parameter:CREATE PROCEDURE [etl].[ROWCOUNT_TST2](@P_LOAD_SCHEMA sysname = N'dbo', --Always define your schema                                       @P_LOAD_TARGET sysname, --sysname is the data type for objects, a synonym of nvarchar(128) NOT NULL                                       @P_LOAD_DATE datetime) ASBEGIN    DECLARE @SQL nvarchar(MAX),            @CRLF nchar(2) = NCHAR(13) + NCHAR(10);    SET @SQL = N'SELECT COUNT(*) AS Inserted' + @CRLF +               N'FROM ' + QUOTENAME(@P_LOAD_SCHEMA) + N'.' + QUOTENAME(@P_LOAD_TARGET) + @CRLF +               N'WHERE VALID_FROM = @P_LOAD_DATE' + @CRLF +               N'  AND VALID_TO IS NULL;';    --PRINT @SQL; --Your best friend.    EXEC sys.sp_executesql @SQL, N'@P_LOAD_DATE datetime', @P_LOAD_DATE;END;

Advertisement

Answer