makeitwork09
Technical User
I found the following code at and was wondering if it needs to include QUOTENAME to help avoid SQL injection? And if so, where specifically is it required.
For reference, if I were to use the code I will be using Microsoft SQL Server 2005
Thanks
Code:
DECLARE @PivotColumnHeaders VARCHAR(MAX)
SELECT @PivotColumnHeaders =
COALESCE(
@PivotColumnHeaders + ',[' + cast(Name as varchar) + ']',
'[' + cast(Name as varchar)+ ']'
)
FROM Sales.SalesTerritory
DECLARE @PivotTableSQL NVARCHAR(MAX)
SET @PivotTableSQL = N'
SELECT *
FROM (
SELECT
YEAR(H.OrderDate) [Year],
T.Name,
H.TotalDue
FROM Sales.SalesOrderHeader H
LEFT JOIN Sales.SalesTerritory T
ON H.TerritoryID = T.TerritoryID
) AS PivotData
PIVOT (
SUM(TotalDue)
FOR Name IN (
' + @PivotColumnHeaders + '
)
) AS PivotTable
'
EXECUTE(@PivotTableSQL)
For reference, if I were to use the code I will be using Microsoft SQL Server 2005
Thanks