Question : SQL Server Dynamic Procedure Design

I'm tasked with transforming inline dynamic SQL into a SQL stored procedure. The object is to eliminate SQL injection potential from the application. I am aware of the 'sp_executesql...' procedure but still need a good way to dymanically construct it's string. The problem is I need to build the query using dynamic 'Field' + 'Comparison' (=,<,>) + 'FieldValue'. 'sp_executesql' only allows 'FieldValue' to be inserted. How do I achieve this with 'Field' and 'Comparision'?

Answer : SQL Server Dynamic Procedure Design

then you would just do this:

execute sp_executesql @strSQL

you don't have to pass in the params that way....you could have done it this way too:

SET @strSQL = @strSQL + ' WHERE ' + @SearchField + ' ' + @SearchCondition + ' @SearchValue '

execute sp_executesql
@strSQL,
'@searchvalue nvarchar(1000)',
@searchvalue

Random Solutions

Ping from (192.168.1.1 - 192.168.1.254) without using IPlist.txt and output the result with Hostnames..

Setting up Custom Error Pages in Windows Sharepoint Services. WSS

Need user to create and alter tables, but not have dbo_owner access

Refresh contents of a list box displayed on form, using VBA

Change name of "This product is licensed to..."

Dictionary Object giving me a "No current record" error

Cannot open <a rel="nofollow" href="http://support.microsoft.com" target="_blank">http://support.microsoft.c<wbr />om</a>

Using Windows Certificates with VBA

Access - Format datatype in Table to have IP Address format