Is it possible to have an SP that looks something like this:
DECLARE @tableName = null;
DECLARE @cols = null;
DECLARE @values = null;
INSERT INTO @tableName @cols @values;
The resultant query looks like this:
INSERT INTO <table name> (<set of column names>) VALUES (<set of corresponding values>);
My use case is that I'm parsing Excel data into a database, i.e. a single workbook of 'type X' equates to a single row in this database. These workbooks are filled in from a template, so the data format is pretty constant. To parse the data I create a sheet in the workbook called 'DATA' or something, that looks like this:
tableName | attributeName | attributeValue | .. plus some config stuff
People | Firstname | Johnny | etc
People | Lastname | Heinz | etc
People | Firstname | Sam | etc
People | Lastname | Smith | etc
This would equate to two rows in the People
table of the database (multiple rows are recognized by repeating attributeNames
for a specific table).
The reasons this needs to be dynamic SQL is:
- I'd like this to be applicable to any table in the database
- I won't know how many cols a particular table has before parsing
Best Answer
You should be validating table names and column names. Table names are easy to check, but for column names we'll use this function:
You should be using strongly-typed parameters for parameter values, to protect yourself from SQL injection vulnerabilities. Understanding where these parameter values come from will help to further refine this solution, but for now you'll just have to blindly append your values list and hope for the best:
I am not sure how you are building the
@ParamValues
parameter but if you have string delimiters embedded in it (like5, 'foo', '20160206'
), you'll need to double those up somewhere so that it becomes5, ''foo'', ''20160206''
- this becomes a challenge when you have strings likeO'Brien
- one of just many reasons why you should be using proper parameters instead of concatenating one big string with all your values.See the following: