Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
gogetter
Starting Member
18 Posts |
 Posted - 2008-04-16 : 13:11:26
|
| I want to use a parameter value as a static value for an insert statement that I have written. The problem I am running into is that SQL is interpreting the parameter value as a column name since it is not contained in single quotes. Does anyone know it if is possible to interpret a parameter value as a static value for an insert statement? |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2008-04-16 : 13:16:10
|
| are youusing like this?SET @param1=your valueINSERT INTO YoutTable (field1,....) SELECT @param1,...Where @param1 is your parameter |
 |
|
|
gogetter
Starting Member
18 Posts |
Posted - 2008-04-16 : 15:32:43
|
| I actually found a way to do it. Using char(39) I was able to create the impression of single quotes on each side of my parameter value. One of the developers in my office showed me this trick, apparently if you use char(39) + @variable + @char(39) your variable will be interpreted correctly. |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-04-16 : 15:45:08
|
Are you also using DYNAMIC SQL?
E 12°55'05.25"N 56°04'39.16" |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2008-04-16 : 16:24:17
|
quote:
I actually found a way to do it. Using char(39) I was able to create the impression of single quotes on each side of my parameter value. One of the developers in my office showed me this trick, apparently if you use char(39) + @variable + @char(39) your variable will be interpreted correctly.
You should never, ever do that. Always use parameters properly, whether you are writing in-line sql or using stored procedures.See:http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspxAnd, please, pass that link (and links to "sql injection") to your co-worker as well.- Jeffhttp://weblogs.sqlteam.com/JeffS |
|
|
|
chandan_joshi80
Starting Member
30 Posts |
Posted - 2008-04-17 : 04:30:35
|
| DECLARE @param1 VARCHAR(50)SET @param1='CSC'INSERT INTO T1 SELECT @param1,COMPANYNAME FROM CUSTOMERS WHERE CUSTOMERID='A' IT IS WORKING,I THINK IT HAVE NO PROBLEM.chandan |
|
|
|
|
|
|
Passing Parameter Value as Insert Value