Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
sqllover
Constraint Violating Yak Guru
338 Posts |
 Posted - 2007-01-23 : 00:02:22
|
| hi, i have this sql statement:@uname varchar(20)select @sql = 'select user_name, password, role_code, expiry_date,effective_from,active from usermaster where userid='1' and username like'@uname%'it is not worrking for me.i don't know how to pass values in dynamicsql,can any one answer for me please. |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2007-01-23 : 00:35:23
|
| select @sql = 'select user_name, password, role_code, expiry_date,effective_from,active from usermaster where userid = ''1'' and username like ''' + @uname + '%'''Peter LarssonHelsingborg, Sweden |
 |
|
|
jezemine
Master Smack Fu Yak Hacker
2886 Posts |
Posted - 2007-01-23 : 00:56:27
|
better would be to use sp_executesql and no string concatenation. building up a string using concatenation like that and then executing it opens up your server to sql injection.details here: http://www.sommarskog.se/dynamic_sql.html
www.elsasoft.org |
|
|
|
sqllover
Constraint Violating Yak Guru
338 Posts |
Posted - 2007-01-23 : 05:48:40
|
| hi peso, jezemine thanks a lot for reply |
|
|
|
|
|
|
|
|
how to pass values in dynamic sql