SQL Server - enclose a long script in single quotations for a function using sp_executesql

Question

I have the following example of script. It works fine for this example as it is small and basic. I have a far bigger script with around 50 steps that works fine on its own. As in, hit F5 and does everything, checks if table exists, deletes, writes to tables, drops temps and all results are written to the necessary places. I can't seem to place this large script into this small example:

alter procedure james_tester
    @tablename nvarchar(200)
as
BEGIN
    declare @sql nvarchar(max)          

    set @sql =

        ---->
        'select * from'
        ---->

        + @tablename
        EXECUTE sp_executesql @sql
        END

 ---When executing:
 execute james_tester 'dbo.calendar_delete'

In my case the section in between the arrows is large and will have numerous variables. I just want to know if there is a function or possibly another way to place a large piece of script at a time in that single quote part. I hope I am describing this sufficiently. What affects the entire script currently from just putting a single quote before and after, is that there are already many comments, and single quotes used in the script that seem to stop the entire script from being highlighted red as text and working fine.

James

Answer 1

It is in fact only the presence of single quotes that will cause problems. Take the following illustration:

declare @bigText varchar(max);

SET @bigText = '"The time has come," the Walrus said, 
"To talk of many things: 
Of shoes and ships and sealing-wax --SQL Comment has no impact 
Of cabbages and kings /* c/c++ comment has no impact */
And why the sea is boiling hot //c# comment has no impact 
And whether pigs have wings."';

 SELECT @bigText;

Single quotes can be doubled using regex or some other string replace function, so that should not be too hard either.

BUT (and there always is a but of course) whether the remaining text is a legal SQL string, which you can execute is an entirely different question. The presence of extraneous comments etc. will almost certainly bite you.

Answer 2

In case anyone comes to this post and needs to know how this ended. I have no real security risks here of SQL injections etc on the database. The procedure takes a few minutes to run now and just takes this execute in the first two rows to run, with the variables being the periods of SAP backup I need to extract:

 execute jc_tester '01' , '02' , '03'
 go



alter procedure jc_tester
@Period1 varchar (3) ,@Period2 varchar (3) , @Period3 varchar (3)
as
begin
declare @sql nvarchar(max)
set @sql = 
replace('...... |    |    |    | ','|','''') + ......... @period1 + 
replace('.....','|','''')
execute sp_executesql @sql
end

Each section of text contained ' that I could not seem to avoid and caused havoc when handling as a string. These had to be replace with pipes, then included in a replace statement.

Some other things I learnt along the way that threw my progress out. Don't use Go's in the script to be used in @sql. I did not know this. Rather use ;. Also remove any comments that use the leading '---'. Instead wrap all comments in the script with / ..... / . I could swear this made a difference as so many of the comments in the script in @sql were all trailing ---'s.

This process has saved time and now that it is complete I can explore other options other than dynamic sql in a stored procedure and learn how to do it in probably a more appropriate manner. But I'm glad this ran eventually.... Thanks for the guidance.