0

I want to insert @inputData to ColumnData if it doesn't exists to prevent duplicate data to a table with name as parameter @TableName. Error at the 'dbo.@TableName'.

SET @insertSQL = 'INSERT INTO '+ @TableName + ' (ColumnData) VALUES ('''+@inputData+''');'

IF NOT EXISTS (SELECT 1 FROM [dbo].[@TableName] WHERE ColumnData = @inputData)
    EXECUTE(@insertData) -- EXECUTE @insertData if ColumnData is not found

I also tried this (also throws error):

SET @insertSQL = 'INSERT INTO '+ @TableName + ' (ColumnData) VALUES ('''+@inputData+''');'

IF NOT EXISTS (EXECUTE('SELECT 1 FROM [dbo]. '+@TableName ' WHERE ColumnData = ' + @inputData))
    EXECUTE(@insertData)   -- EXECUTE @insertData if ColumnData is not found
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Brian Sanchez
  • 149
  • 2
  • 16

1 Answers1

0

It look like you are splitting the dynamic SQL statement. Try something like this:

DECLARE @SQL NVARCHAR(MAX) = N'
IF NOT EXISTS (SELECT 1 FROM dbo.' + QUOTENAME(@TableName)  + ' WHERE ColumnData = @inputData
   INSERT INTO ' + QUOTENAME(@TableName) + ' (ColumnData) VALUES (@inputData)'

EXEC sp_executesql @SQL, N'@inputData VARCHAR(128)', @inputData = @inputData

Table name cannot be parameterized, so it must be appended. However, QUOTENAME is strongly recommended to avoid SQL injection.

On the other hand, @inputData can be sent as a parameter, that's why sp_executesql can be used.

Generally speaking, unless you are not dealing with parameters, try to always use sp_executesql instead of simple EXEC (), as EXEC forces into ugly string concatenation and possible injectable SQL statements.

Community
  • 1
  • 1
Alexei - check Codidact
  • 22,016
  • 16
  • 145
  • 164