Passing a database name as a stored procedure parameter

SQL Server Ask the Experts

2585 pts.

Tags:

Stored Procedures

T-SQL

I would like to be able to pass the name of a database as a parameter to a stored procedure. This db would be used for certain queries and may be different from the db where the stored procedure runs. Is it possible to specify a database name from within the T-SQL of the stored procedure? If so, how?

Asked: March 11, 2008 10:13 PM Last updated: March 12, 2008 6:51 AM

Answer Wiki

Last updated: March 12, 2008 6:51 AM GMT

Denny Cherry68,390 pts.
History
Contributors
- Ordered by most recent
- Denny Cherry68,390 pts.

Thanks. We'll let you know when a new response is added.

Yes you can do this, however it is not recommended. You have to use a technique called dynamic SQL. There are security risks on using dynamic SQL as the user who runs the procedure much have access to the table or tables listed in the dynamic SQL, and dynamic SQL is subject to a SQL injection attack.

That said, the syntax would be something like this.

<pre>CREATE PROCEDURE MyProcedure
@DBName sysname
AS
DECLARE @cmd nvarchar(2000)
SET @cmd = N’SELECT * FROM ‘ + @DBName + ‘.dbo.SomeTable’
exec (@cmd)
GO</pre>

You can add more input parameters as needed.

Discuss This Question: 3 Replies

Denny Cherry Mar 12, 2008 6:51 AM GMT

Check out my SQL Server blog "SQL Server with Mr Denny" for more SQL Server information.

68,390 pointsBadges:

report
jaimie Oct 1, 2012 6:01 AM GMT

How can we restrict the SQL injection in the above said description.

Jaimie El Rohi Nelaturi.

10 pointsBadges:

report
TomLiotta Oct 1, 2012 6:20 AM GMT

How can we restrict the SQL injection... You do it using the same techniques that restrict "SQL injection" in any cirucumstances. You validate the parameter values with your code. You write the code to ensure that only parameter values that you define as acceptable are used. Tom

125,585 pointsBadges:

report