SQL Select * FROM 表，其中日期是动态的

Question

I'm trying to run a parametrized SELECT query on a table, where date is equal to my @date stored in a variable and for some reason it does not work:

DECLARE @date DATETIME;
set @date = '09/01/2022';

select * from dba.hello where datum = @date

This works the way that I want to, but when i try to parametrize the query as follows:

 declare @table_name nvarchar(255);
 set @table_name = 'dba.hello';

 DECLARE @date DATETIME;
 set @date = '09/01/2022';

 exec('select * from '+@table_name+' where datum = '+@date)

I'm getting this error: Parse error at line: 1, column: 58: Incorrect syntax near '2022'.

Does anyone know what could be the issue, please?

Thanks

Answer 1

You need to, just like any statement, parametrise your dynamic statement. If you do that, you have no problems. I also split your schema and table names into 2 variables and safely inject them:

DECLARE @SchemaName sysname,
        @TableName sysname;

SET @SchemaName = N'dba';
SET @TableName = N'Hello';

DECLARE @date datetime = '20220109'; --Should this not be a date is it's only a date?

DECLARE @SQL nvarchar(MAX);
SET @SQL = N'SELECT * FROM ' + QUOTENAME(@SchemaName) + N'.' + QUOTENAME(@TableName) + N' WHERE datum = @date;';
EXEC sys.sp_executesql @SQL, N'@date datetime', @date;