Click here to Skip to main content
15,885,952 members
Search within:


I have created tables with column names as iname and quantity. I want to take parameters from user 'tablename' 'iname' and 'quantity' . Shows error please help
Please Sign up or sign in to vote.
1.00/5 (1 vote)
SQL
alter procedure spinserttable 
@tname varchar (50)
as 
begin
declare @sql nvarchar(max)
declare @parameter varchar(100)
declare @iname varchar(50)
declare @quantity int
set @sql= 'insert into ' + @tname + '(iname, quantity) values ( '+ @iname +', '+ @quantity +')'
set @parameter = '@iname varchar(50) @quantity int'
execute sp_executesql @sql, @parameter, @iname ,@quantity
end


What I have tried:

i gave me error 
'must declare scaler variable 'iname' so i declare iname and quantity' now it gives me error 'Conversion failed when converting the varchar value ')' to data type int'
Posted
Updated 21-Apr-20 5:57am
v2
Add a Solution

2 solutions

You're using string concatenation to build the dynamic SQL query. That leaves your code open to SQL Injection[^].

You need to pass the parameters as parameters instead of concatenating their values into the query.

Unfortunately you can't do that for the table name. Instead, you'll need to validate that the passed name is a valid table name.

You'll also want to be able to pass the values to insert into your stored procedure.
SQL
ALTER PROCEDURE spinserttable 
    @tname sysname,
    @iname varchar(50),
    @quantity int
As 
BEGIN
DECLARE @SchemaName sysname, @TableName sysname;
DECLARE @sql nvarchar(max);
DECLARE @params nvarchar(100);
    
    SET NOCOUNT ON;
    
    SELECT
        @SchemaName = S.name,
        @TableName = T.name
    FROM
        sys.tables As T
        INNER JOIN sys.schemas As S
        ON S.schema_id = T.schema_id
    WHERE
        T.name = @tname
    ;
    
    If @@ROWCOUNT = 0 RAISERROR('Invalid table name: %s', 16, 1, @tname);
    
    SET @sql = N'INSERT INTO ' + QUOTENAME(@SchemaName) + N'.' + QUOTENAME(@TableName) + N' (iname, quantity) VALUES (@iname, @quantity)';
    
    SET @params = N'@iname varchar(50), @quantity int';
    
    EXECUTE sp_executesql @sql, @params, @iname, @quantity;
END
 
Share this answer
 
Posted
Hi Maciej,

I'll give this a try. Maybe you can do this.

SQL
set @sql= 'insert into ' + @tname + '(iname, quantity) values ('+ @iname +','+ CONCAT( @quantity, ')')
This will fix your current error.

Your current issue is this.
SQL
et @sql= 'insert into ' + @tname + '(iname, quantity) values ( '+ @iname +', '+ @quantity +')'
This throws an error when concatenation occurs with numerical value with nvarchar.

Here's what I did.
SQL
declare @tname varchar (50)
declare @sql nvarchar(max)
declare @parameter varchar(100)
declare @iname varchar(50)
declare @quantity int
set @sql= 'insert into ' + @tname + '(iname, quantity) values ('+ @iname +','+ CONCAT( @quantity, ')')


Works on my end. Thanks.

Cheers,
Jin
 
Share this answer
 
Posted
Comments
Richard Deeming 21-Apr-20 11:58am    
That still leaves the code vulnerable to SQL Injection[^].
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
how to count a column name quantity yearwise and display it in gridview.
Counting the quantities of an interger in an array
How to divide the product quantity based on the group quantity
Switch quantity not an integer
syntax error in create table command with variable tablename in c#
Sql server(BOM) material product quantity calculation by multiplier
How do I make the quantity in an allbooks table reduce when a user borrows a book?
how to deduct a quantity from a database using VB.NET
Problem fetching pending quantity and pending amount
How to show the list of first 3 highest ordered product and the total quantity using SQL SERVER

Advertise
Privacy
Cookies
Terms of Use
Last Updated 21 Apr 2020
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900