SQL with a table name as a parameter and a query longer than 4000 characters

Question

SQL with a table name as a parameter and a query longer than 4000 characters

I am trying to write a stored procedure that takes a table name as a parameter. Yes, I already know that this is a security vulnerability, but it is an internal stored process that does not face the typical risks of SQL Injection.

What I have so far looks something like this:

CREATE PROCEDURE [dbo].[myprocedure]
    @tableName sysname
AS
DECLARE @cmd nvarchar(4000)
SET @cmd = N' Select blah blah from ' + @tableName
EXEC (@cmd)
GO

The query will work theoretically, but my problem is that my query is longer than 4000 characters. Is there any other way to use @tableName in a cmd variable longer than 4000 characters (which is equal to nvarchar max)?

+3

sql sql-server stored-procedures

a432511 Nov 24 '09 at 16:24

source share

4 answers

DECLARE @cmd NVARCHAR(MAX);

+3

Remus Rusanu 24 . '09 16:29

Extract some of your logic into views or user-defined functions.

+2

recursive Nov 24 '09 at 16:25

source share

Use

DECLARE @cmd VARCHAR(8000)

instead DECLARE @cmd NVARCHAR(MAX);

NVARCHAR(MAX) ALLOWS ONLY 4000 CHARACTERS.

0

SHIBIN May 09 '13 at 8:29

source share

Heinzi · Accepted Answer · 2009-11-24T16:28:00+0000

SQL Server >= 2005, nvarchar(4000) nvarchar(MAX).

SQL with a table name as a parameter and a query longer than 4000 characters

More articles: