I want to pass my [Domain\username] as string .
And if i pass my database name as string , how to execute the below line. because it doesnt accepts string?
How to overcome the above problem?
You could use dynamic SQL.
This isn't as good as the best way to use sp_executesql (that would involve passing in the parameters, but you would be right back where you started), but the quotename will help protect you from potential SQL injection attacks.
If you do end up using dynamic SQL to do this, be sure you have read Erland Sommerskog's article on the subject, as well as [Kim Tripp's article on the same subject].: http://www.sqlskills.com/BLOGS/KIMBERLY/post/Little-Bobby-Tables-SQL-Injection-and-EXECUTE-AS.aspx
answered Jun 08, 2011 at 04:03 AM