0

I am trying to insert data into a SQL Server table using a variable. I tried

DECLARE @table NVARCHAR(50) = 'ToolList',
        @val NVARCHAR(50) = 'test'

EXEC ('INSERT INTO ' + @table + 'SELECT ' + @val)

and

EXEC ('INSERT INTO ' + @table + '([col1]) VALUES(' + @val +')'

but still get an error that says

Incorrect syntax near 'test'.

Improve this question
2
  • Not sure, but maybe try saving @val nvarchar(50) = ' test ' give space before and after test Commented Jan 16, 2018 at 7:19
  • Basic debugging : print or select the string after building it but before you execute it. You'll see you didn't quote your VARCHAR values. Also, look into SP_EXECUTESQL which allows typed parameters for dynamic sql, then you don't need to quote it, and won't be vulnerable to SQL Injection Attacks. Commented Jan 16, 2018 at 8:24

4 Answers 4

Reset to default
5

you missed a space before SELECT and the @val should enclosed in single quote

DECLARE @table nvarchar(50) = 'ToolList',
    @val nvarchar(50) = 'test'


EXEC ( 'INSERT INTO ' + @table + ' SELECT ''' + @val + '''')

when you use Dynamic SQL, it is easier to form the query in a variable so that you can print out , inspect the value before execution

select @sql = 'INSERT INTO ' + @table + ' SELECT ''' + @val + ''''
print  @sql
exec  (@sql)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You'd better use sp_executesql that allows for statements to be parameterized, to avoid the risk of SQL injection.

DECLARE @Query NVARCHAR(1000),
    @table NVARCHAR(50) = 'ToolList'

SET @Query = 'INSERT INTO ' + @table + ' SELECT @val'
EXEC sp_executesql @Query, N'@val nvarchar(50)', @val = 'test'

sp-executesql-transact-sql

Improve this answer

1 Comment

This is absolutely the correct way to go. It protects from attacks, it protects from mistakes, deals with quoting and allows execution plan reuse. The other answers work, this is correct.
1

You can also use CHAR(39) instead of adding single quotes every time for better readability. And also, you have not added a space after the variable which contains the table name.

Query

declare @table nvarchar(50) = 'ToolList',
        @val nvarchar(50) = 'test2';

 declare @sql as varchar(max) = 'insert into ' + @table 
                             + ' select ' + char(39) +  @val + char(39);
exec(@sql);
Improve this answer

Comments

1

You need 4 singlequotes before the @val field as it is a string and all strings needs to be encapsulated in single quotes. You can print the dynamic string using PRINT command check what the final string you are going to execute.

DECLARE @table VARCHAR(50) = 'ToolList'
DECLARE @val VARCHAR(50) = 'test'
DECLARE @DSQL AS VARCHAR(MAX) = ''

SET @DSQL = @DSQL + ' INSERT INTO [' + @table + ']' + ' 
 SELECT ' + '''' + @val + ''''

--PRINT @DSQL
EXEC(@DSQL)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.