sql - Escaping command parameters passed to xp_cmdshell to dtexec

Question

I am calling an SSIS package remotely using a stored procedure and a call to xp_cmdshell:

declare @cmd varchar(5000)
set @cmd = '"C:Program Files (x86)Microsoft SQL Server100DTSBinndtexec.exe" /Rep E /Sql Package /SET Package.Variables[User::ImportFileName].Value;c:foo.xlsx'
print @cmd
exec xp_cmdshell @cmd

This works fine, however I can not guarantee the variable value (c:foo.xslx) is not going to contain spaces so I would like to escape that with quotes like below:

set @cmd = '"C:Program Files (x86)Microsoft SQL Server100DTSBinndtexec.exe" /Rep E /Sql Package /SET Package.Variables[User::ImportFileName].Value;"c:foo.xlsx"'

But by doing this I get the error

'C:Program' is not recognized as an internal or external command, operable program or batch file.

Both of the above commands work fine if executed within cmd.exe so I am guessing that SQL Server is interpreting my double quotes and changing something, but I can't figure out what.

Answer 1

In a nutshell, put CMD /S /C " at the beginning, and " at the end. In between you can have as many quotes as you like.

Here is how you do it:

declare @cmd varchar(8000)
-- Note you can use CMD builtins and output redirection etc with this technique, 
-- as we are going to pass the whole thing to CMD to execute
set @cmd = 'echo "Test" > "c:my log directorylogfile.txt" 2> "c:my other directoryerr.log" '


declare @retVal int
declare @output table(
    ix int identity primary key,
    txt varchar(max)
)


-- Magic goes here:
set @cmd = 'CMD /S /C " ' + @cmd + ' " '

insert into @output(txt)
exec @retVal = xp_cmdshell @cmd
insert @output(txt) select '(Exit Code: ' + cast(@retVal as varchar(10))+')'

select * from @output