59
create procedure sp_First
@columnname varchar
AS
begin
select @columnname from Table_1
end 
exec sp_First 'sname'

My requirement is to pass column names as input parameters. I tried like that but it gave wrong output.

So Help me

Taryn
  • 242,637
  • 56
  • 362
  • 405
user1169809
  • 777
  • 3
  • 8
  • 10
  • 3
    can you please select the best answer to this question, the current first answer is misleading. – ctbrown Jun 21 '14 at 16:03

9 Answers9

80

You can do this in a couple of ways.

One, is to build up the query yourself and execute it.

SET @sql = 'SELECT ' + @columnName + ' FROM yourTable'
sp_executesql @sql

If you opt for that method, be very certain to santise your input. Even if you know your application will only give 'real' column names, what if some-one finds a crack in your security and is able to execute the SP directly? Then they can execute just about anything they like. With dynamic SQL, always, always, validate the parameters.

Alternatively, you can write a CASE statement...

SELECT
  CASE @columnName
    WHEN 'Col1' THEN Col1
    WHEN 'Col2' THEN Col2
                ELSE NULL
  END as selectedColumn
FROM
  yourTable

This is a bit more long winded, but a whole lot more secure.

MatBailie
  • 83,401
  • 18
  • 103
  • 137
  • 19
    +1, `This is a bit more long winded, but a whole lot more secure.` – KM. Apr 10 '12 at 17:28
  • 1
    If you're getting the columns from another table "UpdateableColumns" you can also do some kind of verification with it. Example: "Where Column exist in (select ColumnName from UpdateableColumns)" – EduLopez Sep 14 '15 at 18:13
  • The secure solution WILL NOT WORK if the columns are of different types. – Christopher Bales Aug 15 '23 at 16:38
  • @ChristopherBales If they're different types, you're probably doing something wrong. SQL is both strongly and statically typed, and that includes the signature of the data frames. While dynamic sql is easily capable of accommodating that, it integrates poorly with other rdms constructs, and is a very ripe code smell. – MatBailie Aug 16 '23 at 00:13
13

No. That would just select the parameter value. You would need to use dynamic sql.

In your procedure you would have the following:

DECLARE @sql nvarchar(max) = 'SELECT ' + @columnname + ' FROM Table_1';
exec sp_executesql @sql, N''
Darren Kopp
  • 76,581
  • 9
  • 79
  • 93
  • 2
    No, not much slower. The only amount it's slower by is the string concatenation overhead. sp_executesql will execute the text in a way where it will be translated into an execution plan just like any other command. – Darren Kopp Aug 21 '14 at 14:35
10

Try using dynamic SQL:

create procedure sp_First @columnname varchar 
AS 
begin 
    declare @sql nvarchar(4000);
    set @sql='select ['+@columnname+'] from Table_1';
    exec sp_executesql @sql
end 
go

exec sp_First 'sname'
go
John Dewey
  • 6,985
  • 3
  • 22
  • 26
6

This is not possible. Either use dynamic SQL (dangerous) or a gigantic case expression (slow).

usr
  • 168,620
  • 35
  • 240
  • 369
  • If the CASE is only in the SELECT statement (and not in a JOIN, WHERE clause, ORDER BY, etc) then this option is not actually that slow. – MatBailie Apr 10 '12 at 16:51
  • 1
    It will pull out all columns every time, no matter what concrete column is requested. – usr Apr 10 '12 at 16:51
2
   Create PROCEDURE USP_S_NameAvilability
     (@Value VARCHAR(50)=null,
      @TableName VARCHAR(50)=null,
      @ColumnName VARCHAR(50)=null)
        AS
        BEGIN
        DECLARE @cmd AS NVARCHAR(max)
        SET @Value = ''''+@Value+ ''''
        SET @cmd = N'SELECT * FROM ' + @TableName + ' WHERE ' +  @ColumnName + ' = ' + @Value
        EXEC(@cmd)
      END

As i have tried one the answer, it is getting executed successfully but while running its not giving correct output, the above works well

Out
  • 627
  • 2
  • 13
  • 20
1

You can pass the column name but you cannot use it in a sql statemnt like 

Select @Columnname From Table

One could build a dynamic sql string and execute it like EXEC (@SQL)

For more information see this answer on dynamic sql.

Dynamic SQL Pros and Cons

Community
  • 1
  • 1
Jon Raynor
  • 3,804
  • 6
  • 29
  • 43
1

As mentioned by MatBailie This is much more safe since it is not a dynamic query and ther are lesser chances of sql injection . I Added one situation where you even want the where clause to be dynamic . XX YY are Columns names 

            CREATE PROCEDURE [dbo].[DASH_getTP_under_TP]
    (
    @fromColumnName varchar(10) ,
    @toColumnName varchar(10) , 
    @ID varchar(10)
    )
    as
    begin

    -- this is the column required for where clause 
    declare @colname varchar(50)
    set @colname=case @fromUserType
        when 'XX' then 'XX'
        when 'YY' then 'YY'
        end
        select SelectedColumnId  from (
       select 
            case @toColumnName 
            when 'XX' then tablename.XX
            when 'YY' then tablename.YY
            end as SelectedColumnId,
        From tablename
        where 
        (case @fromUserType 
            when 'XX' then XX
            when 'YY' then YY
        end)= ISNULL(@ID , @colname) 
    ) as tbl1 group by SelectedColumnId 

    end
Saronyo
  • 158
  • 7
0

First Run;

CREATE PROCEDURE sp_First @columnname NVARCHAR(128)--128 = SQL Server Maximum Column Name Length
AS
BEGIN

    DECLARE @query NVARCHAR(MAX)

    SET @query = 'SELECT ' + @columnname + ' FROM Table_1'

    EXEC(@query)

END

Second Run;

EXEC sp_First 'COLUMN_Name'
Smh
  • 249
  • 2
  • 4
-3

Please Try with this. I hope it will work for you.

Create Procedure Test
(
    @Table VARCHAR(500),
    @Column VARCHAR(100),
    @Value  VARCHAR(300)
)
AS
BEGIN

DECLARE @sql nvarchar(1000)

SET @sql = 'SELECT * FROM ' + @Table + ' WHERE ' + @Column + ' = ' + @Value

--SELECT @sql
exec (@sql)

END

-----execution----

/** Exec Test Products,IsDeposit,1 **/
Toto
  • 89,455
  • 62
  • 89
  • 125
Sujay
  • 21