tag:blogger.com,1999:blog-5849265.post116706858043634800..comments2023-10-29T20:45:15.971+05:30Comments on Vadivel's blog: sp_executesql( ) vs Execute() -- Dynamic QueriesVadivelhttp://www.blogger.com/profile/13387133927257826888noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5849265.post-8081718817704236882010-09-01T22:03:51.932+05:302010-09-01T22:03:51.932+05:30I am working on a similar SP that has a tablename ...I am working on a similar SP that has a tablename input but also has a date input paramter and here it is<br /><br />USE sample<br />GO<br />CRETAE PROCEDURE select_tab @tblname sysname, @date date<br /> AS<br />Declare @sdate date<br />set @sdate = @date<br />DECLARE @sql varchar(max)<br />SET @sql = 'SELECT *<br /> FROM dbo.' + quotename(@Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5849265.post-79389475459579497732007-09-19T21:12:00.000+05:302007-09-19T21:12:00.000+05:30I have 4 variables that are OUTPUT variables (to b...I have 4 variables that are OUTPUT variables (to be used subsequently in my sp) in my sp_executesql call. But I get an error:<BR/><BR/>Server: Msg 8144, Level 16, State 2, Line 0<BR/>Procedure or function has too many arguments specified.<BR/><BR/>So how do I retrieve the OUTPUT variables data?<BR/><BR/>Appreciate your help.<BR/><BR/>Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5849265.post-1167158496273236192006-12-27T00:11:00.000+05:302006-12-27T00:11:00.000+05:30Very true Pandu. Thats the reason I have mentioned...Very true Pandu. Thats the reason I have mentioned its not the write way to code :) Also i have provided a link "Curse and Blessing of Dynamic SQL" .. there is a topic on sql injection there too.Vadivelhttps://www.blogger.com/profile/13387133927257826888noreply@blogger.comtag:blogger.com,1999:blog-5849265.post-1167155577184830952006-12-26T23:22:00.000+05:302006-12-26T23:22:00.000+05:30You are asking to be shot in the head if you write...You are asking to be shot in the head if you write SPs that take user input and execute them.<BR/><BR/>First target of hackers wanting to rip through using SQL injection.Anonymousnoreply@blogger.com