您需要创建动态 SQL 查询，***使用 QUOTENAME 函数.您可以使用 QUOTENAME 功能避免恶意输入带来的任何问题.

You need to create a dynamic SQL query, preferably using the QUOTENAME function. You can avoid any issues from malicious input by using QUOTENAME function.

这是一个示例脚本，它说明了如何通过传入表名来创建动态 SQL 查询来查询表.您可以将表名按值更改为变量 @tablename.

Here is a sample script that illustrates how to query a table by creating a dynamic SQL query by passing in a table name. You can change the table name by value to the variable @tablename.

CREATE TABLE sample
(
    id INT NOT NULL
);

INSERT INTO sample (id) VALUES
  (1),
  (2),
  (3),
  (4),
  (5),
  (6);

动态 SQL 脚本:

DECLARE @execquery AS NVARCHAR(MAX)
DECLARE @tablename AS NVARCHAR(128)

SET @tablename = 'sample'
SET @execquery = N'SELECT * FROM ' + QUOTENAME(@tablename)

EXECUTE sp_executesql @execquery

演示:

点击此处查看 SQL Fiddle 中的演示.

动态 SQL 的诅咒和祝福