使用动态 SQL

declare @tablename sysname = N'ACTIVITY';
declare @sql  nvarchar(max);

set @sql = N'delete from Main.dbo.' + quotename(@tablename);
exec sp_executesql @sql;
set @sql = N'insert into Main.dbo.' + quotename(@tablename);
exec sp_executesql @sql;
set @sql = N'select * from Main.dbo.' + quotename(@tablename);
exec sp_executesql @sql;

非常使用QUOTENAME 在处理动态 SQL 时，因为 SQL 注入风险.动态 SQL 有利有弊，有关详细讨论，请参阅动态 SQL 的诅咒和祝福.

It is very important to use the QUOTENAME when handling dynamic SQL because of the SQL injection risk. Dynamic SQL has pros and cons, for an in dept discussion see The Curse and Blessings of Dynamic SQL.

SSMS 和 SQLCMD 具有使用客户端变量替换的能力:

SSMS and SQLCMD have capabilities to use client side variable substitution:

:setvar tablename Main.dbo.ACTIVITY
delete from $(tablename);
insert into $(tablename);
select * from $(tablename);

SQLCMD 模式变量在批量使用时大放异彩，因为这些变量可以通过 -v 参数.例如:

Where SQLCMD mode variables shine is when used in batches because the variables can be passed in via the -v argument. For example:

c:\>for /f %i in (tablenames.txt) do sqlcmd -S <servername> -E -d <dbname> -v tablename=%i -Q "truncate table $(tablename)"

请注意，在 SSMS 中，必须显式启用 SQLCMD 执行模式.

Note that in SSMS the SQLCMD execution mode must be enabled explicitly.