Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //TODO : verify (whitelist) that @operator is in a known set of values...
- // '=', '<>', '>', '<' etc - otherwise security risk
- declare @sql varchar(4000) = 'select * from Foo where Bar '
- + @operator + ' @value'
- exec sp_executesql @sql, N'@value int', @value
- //TODO : verify (whitelist) that @operator is in a known set of values...
- // '=', '<>', '>', '<' etc - otherwise security risk
- declare @sql varchar(4000) = 'select * from Foo where Bar '
- + @operator + ' @p'
- exec sp_executesql @sql, N'@p int', @value
Add Comment
Please, Sign In to add comment