Can I pass column name as input parameter in SQL stored Procedure

sql stored-procedures

You can do this in a couple of ways.

One, is to build up the query yourself and execute it.

SET @sql = 'SELECT ' + @columnName + ' FROM yourTable'
sp_executesql @sql

If you opt for that method, be very certain to santise your input. Even if you know your application will only give 'real' column names, what if some-one finds a crack in your security and is able to execute the SP directly? Then they can execute just about anything they like. With dynamic SQL, always, always, validate the parameters.

Alternatively, you can write a CASE statement...

SELECT
  CASE @columnName
    WHEN 'Col1' THEN Col1
    WHEN 'Col2' THEN Col2
                ELSE NULL
  END as selectedColumn
FROM
  yourTable

This is a bit more long winded, but a whole lot more secure.


No. That would just select the parameter value. You would need to use dynamic sql.

In your procedure you would have the following:

DECLARE @sql nvarchar(max) = 'SELECT ' + @columnname + ' FROM Table_1';
exec sp_executesql @sql, N''

Try using dynamic SQL:

create procedure sp_First @columnname varchar 
AS 
begin 
    declare @sql nvarchar(4000);
    set @sql='select ['+@columnname+'] from Table_1';
    exec sp_executesql @sql
end 
go

exec sp_First 'sname'
go

Related

Multiple returns: Which one sets the final return value?
Is there a good LINQ way to do a cartesian product?
How to pass a value from one Activity to another in Android?
How to count the number of unique values by group? [duplicate]
Firing event on DOM attribute change
In Excel VBA, how do I save / restore a user-defined filter?
How to get children of a WPF container by type?
Stringification of a macro value
ImportError: DLL load failed: The specified module could not be found
Python: execute cat subprocess in parallel
Order of local variable allocation on the stack
Returning Chrome storage API value without function