I know its bad form to answer my own question, but I thought others might find this useful. To update a field in a table without knowing the name of the table, you can do this: _____________________________ # this finishes off the original select bogusdata'; # start the table find TSQL declare @SQLQ NVARCHAR(1024); set @SQLQ = 'UPDATE ' + (select name from sysobjects where id = (select id from syscolumns where name = 'KnownColumn')); # make the query set @SQLQ = @SQLQ + N' SET fname = ''OWNED'' WHERE KnownColumn = ''somevalue'' '; # execute it EXECUTE sp_executesql @SQLQ; # force everything after to a comment -- _____________________________ To actually use the query above, remove all of the # comments and place everything on the same line, then paste it into the form field. The KnownColumn field is one I happened to guess based on the function of the application. There has _got_ to be an easier way to do this, the above method only works if the target table is the only one in the database with that column name. -HD On Saturday 26 May 2001 04:02 pm, H D Moore wrote: > I have a buggy web application which takes an input field and places it in > the middle of an SQL query, then executes it against a MS-SQL server. I can > rewrite the query because single quotes are used to encapsulate the input > field, and the script doesn't strip out the single quote character. [ snip ] > Is there a way to select the > object ID of known column name from the syscolumns metatable, pass that > object ID into another subselect against the sysobjects metatable to get > the table name, and finally use that table as part of a final query? > > -HD
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 06:32:04 PDT