Re: sql insertion

[H D Moore <hdm () secureaustin com>]

I know its bad form to answer my own question, but I thought others might find this useful.  
To update a field in a table without knowing the name of the table, you can do this:

_____________________________
# this finishes off the original select
bogusdata';

# start the table find TSQL
declare @SQLQ NVARCHAR(1024); 
set @SQLQ = 'UPDATE ' + 
(select name from sysobjects where id = 
(select id from syscolumns where name = 'KnownColumn'));

# make the query
set @SQLQ = @SQLQ + N' SET fname = ''OWNED'' WHERE KnownColumn = ''somevalue'' ';

# execute it
EXECUTE sp_executesql @SQLQ;

# force everything after to a comment
--

_____________________________

To actually use the query above, remove all of the # comments and place everything
on the same line, then paste it into the form field. The KnownColumn field is one I 
happened to guess based on the function of the application.

There has _got_ to be an easier way to do this, the above method only works if the
target table is the only one in the database with that column name.

-HD


On Saturday 26 May 2001 04:02 pm, H D Moore wrote:
> I have a buggy web application which takes an input field and places it in
> the middle of an SQL query, then executes it against a MS-SQL server. I can
> rewrite the query because single quotes are used to encapsulate the input
> field, and the script doesn't strip out the single quote character.
[ snip ]
>  Is there a way to select the
> object ID of known column name from the syscolumns metatable, pass that
> object ID into another subselect against the sysobjects metatable to get
> the table name, and finally use that table as part of a final query?
>
> -HD