更新时间:2023-02-26 10:58:23
您需要创建动态 SQL 查询,***使用 QUOTENAME 函数.您可以使用 QUOTENAME 功能避免恶意输入带来的任何问题.
You need to create a dynamic SQL query, preferably using the QUOTENAME function. You can avoid any issues from malicious input by using QUOTENAME function.
这是一个示例脚本,它说明了如何通过传入表名来创建动态 SQL 查询来查询表.您可以将表名按值更改为变量 @tablename
.
Here is a sample script that illustrates how to query a table by creating a dynamic SQL query by passing in a table name. You can change the table name by value to the variable @tablename
.
CREATE TABLE sample
(
id INT NOT NULL
);
INSERT INTO sample (id) VALUES
(1),
(2),
(3),
(4),
(5),
(6);
DECLARE @execquery AS NVARCHAR(MAX)
DECLARE @tablename AS NVARCHAR(128)
SET @tablename = 'sample'
SET @execquery = N'SELECT * FROM ' + QUOTENAME(@tablename)
EXECUTE sp_executesql @execquery