| Subject | Re: [firebird-support] EXECUTE STATEMENT problem understanding |
|---|---|
| Author | Mark Rotteveel |
| Post date | 2013-07-26T11:09:40Z |
On Fri, 26 Jul 2013 11:26:31 +0100, Alan J Davies
<Alan.Davies@...> wrote:
nothing stops you from dynamically building the statement itself. Just be
sure that the tablename is not userinput, otherwise you open yourself to
SQL injection.
Eg
s = "UPDATE " || table_to_use || " SET ..." -- etc
Mark
<Alan.Davies@...> wrote:
> Thanks Mark, it appears that what I want to do is not possible. i.e.You can't pass the table name as parameter to EXECUTE STATEMENT, but
> have the table name as a replaceable parameter. Using your example I
> would still have 3 separate statements (as now) but in a different
> format in the SP.
> What I really would like to be able to do is (paraphrase):
> declare table_to_use varchar(20);
> if my_input_parameter='T' then table_to_use='q_tool'
> else if my_input_parameter='G' then table_to_use='q_gauge'
> else if my_input_parameter='P' then table_to_use='q_ppap'
> end;
> and then this code only once in the SP.
>
> s = 'update :table_to_use set tgp_no = :tgp_no, del_date = :del_date
> where pjs_no = :pjs_no'
> EXECUTE STATEMENT (s) (tgp_no := tgp_no, del_date := del_date, pjs_no
> := pjs_no);
nothing stops you from dynamically building the statement itself. Just be
sure that the tablename is not userinput, otherwise you open yourself to
SQL injection.
Eg
s = "UPDATE " || table_to_use || " SET ..." -- etc
Mark