Do you know how to safely pass in a table name or column name parameter value into your dynamic SQL query?
sp_executesql won't allow you to parameterize SQL object names. You have to revert back to building dynamic SQL and appending those parameter values to your SQL string.
In this video we examine how to do so safely without opening yourself up to SQL injection attacks.
Links below.
Blog post with example queries:
[ Ссылка ]
Follow me on Twitter:
[ Ссылка ]
Want to receive my latest weekly blog posts and videos in your inbox? Sign up for the newsletter here: [ Ссылка ]
![[MAINTENANCE] How to operate EWU](https://s2.save4k.su/pic/WuKTgkPhQN4/mqdefault.jpg)
