Can I pass column name as input parameter in a SQL stored procedure

sql

sql-injection

dynamic-sql

parameterization

byNikita Barsukov·Jan 25, 2025

The answer is yes, you can pass a column name via dynamic SQL in a stored procedure. However, remember to use QUOTENAME() to prevent SQL injection attacks. Here's a quick example code snippet:

CREATE PROCEDURE FetchData @ColName NVARCHAR(128)
AS
BEGIN
    EXEC sp_executesql N'SELECT ' + QUOTENAME(@ColName) + ' FROM YourTable'
END

You need to uphold the golden rules - maintain security, conduct thorough testing, and be aware of performance impacts.

Making and protecting dynamic SQL

Parameter and input validation

Establishing integrity and safeguarding your queries is critical. Validation of parameters locks your system against SQL injection attacks. "A stitch in time saves nine" or in this case, a validation at input saves 999 potential attacks.

Executing dynamic SQL - safely

As the saying goes, "Safety first!". Turn this slogan into reality by using sp_executesql - it's like a safety harness for dynamic queries as it supports parameterization.

EXEC sp_executesql N'SELECT * FROM YourTable WHERE ' + @ColName + ' = @value',
                   N'@value NVARCHAR(50)', 
                   @value = @YourValue

"In sp_executesql we trust" - SQL developers, probably.

Harnessing the power of CASE

If dynamic SQL was a superpower, then a CASE statement would be its Kryptonite. But in a good way! A CASE statement offers a more secure, albeit longer, solution:

SELECT 
    CASE @ColName 
        WHEN 'Column1' THEN Column1
        WHEN 'Column2' THEN Column2
        -- "Mirror, mirror, on the wall, add more columns as you recall"
        ELSE NULL 
    END
FROM YourTable

This method is SQL's version of "Long, but strong."

Typing the loose ends

Confirm that the data type and length of the input parameter and actual column names are identical or your stored procedure becomes a loaded gun. Keep your data reliable and intact.

Security guard at the SQL gates

Vulnerability eradication

Erect your line of defense against vulnerabilities by embracing error handling and logging. Always sanitize user inputs like a SQL dentist.

-- SQL dentistry 101: "Brush off concatenations, floss with parameterization"
EXEC sp_executesql 
     N'SELECT * FROM YourTable WHERE ' + QUOTENAME(@ColName) + ' = @value',
     N'@value NVARCHAR(50)',
     @value = @YourValue

Handling dynamic SQL like a pro

Remember:

Query plan caching: Dynamic SQL might pour a bucket of cold water on caching. Look out for performance hits.
Testing: It's SQL's "Try before you buy". Validate with a host of inputs.
Second opinions: Ask experienced SQL developers - their wisdom can boost dynamic SQL usage growth and mitigate risks.

Beyond the SQL Horizon

Dynamic SQL is not a one-trick pony

Dynamic SQL goes the extra mile by allowing you to build sophisticated joins, conditional logic within queries, among others. Harnessing this power can lead to a performance enhancement.

Alternate routes to dynamic SQL

Explore the uncharted territories beyond dynamic SQL, such us individual stored procedures for each column or an ORM (Object-Relational Mapping) framework that can wrap the dynamic SQL requirements in a more manageable package.

explain-codes / Sql / Can I pass column name as input parameter in a SQL stored procedure

Linked

Exec failed because the name not a valid identifier?



Including parameters in OPENQUERY



Can parameterized statement stop all SQL injection?



Declare Variable for a Query String



Getting result of dynamic SQL into a variable for sql-server

