Sql server 2005 sql server中的过程(获取问题)?
在我的应用程序中,我正在实现搜索,这就像用户在文本框中输入用逗号分隔的文本一样,搜索结果将显示出来。这是我的要求,为此我写了一个程序,就像这样Sql server 2005 sql server中的过程(获取问题)?,sql-server-2005,Sql Server 2005,在我的应用程序中,我正在实现搜索,这就像用户在文本框中输入用逗号分隔的文本一样,搜索结果将显示出来。这是我的要求,为此我写了一个程序,就像这样 create procedure [dbo].[videos_getSearch](@searchstring AS VARCHAR(1000)) AS BEGIN DECLARE @CurNumber INT, @CommaIndex INT, @strSearch varchar(3000),@str varchar(50) declar
create procedure [dbo].[videos_getSearch](@searchstring AS VARCHAR(1000))
AS
BEGIN
DECLARE @CurNumber INT, @CommaIndex INT, @strSearch varchar(3000),@str varchar(50)
declare @strQuery varchar(1000),@result varchar(5000)
declare @sql varchar(2000)
DECLARE @CurNumStr VARCHAR(20)
set @strSearch = ''
WHILE LEN(@searchstring) > 0
BEGIN
SET @CommaIndex = CHARINDEX(',', @searchstring)
IF @CommaIndex = 0 SET @CommaIndex = LEN(@searchstring)+1
SET @CurNumStr = SUBSTRING(@searchstring, 1, @CommaIndex-1)
SET @searchstring = SUBSTRING(@searchstring, @CommaIndex+1, LEN(@searchstring))
BEGIN
set @str = ltrim(rtrim(@CurNumStr))
if LEN(@searchstring)> 0
begin
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
end
else
begin
set @strSearch = @strSearch + '''%'+ @str +'%'''
end
END
END
set @sql='SELECT phot_album.albumid,phot_album.tags,phot_album.albumtitle,phot_album.coverphoto,trailor_creation.trailorid,trailor_creation.tags,trailor_creation.movie,trailor_creation.images,video_upload.videoid,video_upload.videotitle,video_upload.videofile,video_upload.tags FROM phot_album INNER JOIN trailor_creation ON phot_album.tags = trailor_creation.tags INNER JOIN video_upload ON phot_album.tags = video_upload.tags where (phot_album.tags) like '+@strSearch +' or (trailor_creation.tags) like '+@strSearch +' or (video_upload.tags) like '+@strSearch
execute (@sql)
END
列名称“tags”不明确 错误是这一行:
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
您需要指定或标记的表,如错误如下:
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
您需要为或标记指定哪个表,如问题在于这一行:
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
据我所知,您要加入的所有表都有一个tags列,在此where子句中,您没有指定要根据哪个表进行筛选,问题是这一行:
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
set @strSearch = @strSearch + '''%' + @str +'%'''+'or tags like'
据我所知,您要加入的所有表都有一个tags列,并且在where子句中,您没有指定要通过哪个表进行筛选,您当前使用基于用户输入的动态SQL的方法容易受到SQL注入的攻击。我对它进行了修改,以便将搜索词放入一个表变量中,然后将其连接起来。这样更安全 此外,我不确定所需的语义。动态SQL WHERE子句是WHERE phot_album.tags(如“++@strearch+”或trailor_creation.tags(如“++@strearch+”)或video_upload.tags(如“++@strearch 但您的JOIN子句会带回在标记上连接的记录。在这种情况下,所有表中的标记值都相同,只需检查其中一个
CREATE PROCEDURE [dbo].[videos_getSearch](@searchstring AS VARCHAR(1000))
AS
BEGIN
DECLARE @CurNumber INT, @CommaIndex INT, @strSearch VARCHAR(3000),@STR VARCHAR(50)
DECLARE @strQuery VARCHAR(1000),@RESULT VARCHAR(5000)
DECLARE @SQL VARCHAR(2000)
DECLARE @CurNumStr VARCHAR(20)
WHILE LEN(@searchstring) > 0
BEGIN
SET @CommaIndex = CHARINDEX(',', @searchstring)
IF @CommaIndex = 0 SET @CommaIndex = LEN(@searchstring)+1
SET @CurNumStr = SUBSTRING(@searchstring, 1, @CommaIndex-1)
SET @searchstring = SUBSTRING(@searchstring, @CommaIndex+1, LEN(@searchstring))
DECLARE @SearchTerms TABLE
(
Term VARCHAR(50)
)
BEGIN
SET @STR = LTRIM(RTRIM(@CurNumStr))
INSERT INTO @SearchTerms VALUES (@STR)
END
END
SELECT phot_album.albumid ,
phot_album.tags ,
phot_album.albumtitle ,
phot_album.coverphoto ,
trailor_creation.trailorid,
trailor_creation.tags ,
trailor_creation.movie ,
trailor_creation.images ,
video_upload.videoid ,
video_upload.videotitle ,
video_upload.videofile ,
video_upload.tags
FROM phot_album
INNER JOIN trailor_creation
ON phot_album.tags = trailor_creation.tags
INNER JOIN video_upload
ON phot_album.tags = video_upload.tags
INNER JOIN @SearchTerms ST
ON phot_album.tags LIKE '%' + ST.Term + '%'
END
CREATE PROCEDURE [dbo].[videos_getSearch]
(
@searchstring AS VARCHAR(1000)
)
AS
BEGIN
DECLARE @SearchTerms TABLE
(
Term VARCHAR(50)
)
DECLARE @CommaIndex INT
DECLARE @CurNumStr VARCHAR(20)
WHILE LEN(@searchstring) > 0
BEGIN
SET @CommaIndex = CHARINDEX(',', @searchstring)
IF @CommaIndex = 0
SET @CommaIndex = LEN(@searchstring)+1
SET @CurNumStr = SUBSTRING(@searchstring, 1, @CommaIndex-1)
SET @searchstring = SUBSTRING(@searchstring, @CommaIndex+1, LEN(@searchstring))
BEGIN
INSERT
INTO @SearchTerms VALUES
('%' + LTRIM(RTRIM(@CurNumStr)) + '%')
END
END
SELECT 'phot_album' AS Source ,
phot_album.albumid AS entityId ,
phot_album.tags ,
phot_album.albumtitle AS title ,
phot_album.coverphoto AS image
FROM phot_album
INNER JOIN @SearchTerms ST
ON phot_album.tags LIKE ST.Term
UNION ALL
SELECT 'trailor_creation' AS Source ,
trailor_creation.trailorid ,
trailor_creation.tags ,
trailor_creation.movie ,
trailor_creation.images
FROM trailor_creation
INNER JOIN @SearchTerms ST
ON trailor_creation.tags LIKE ST.Term
UNION ALL
SELECT 'video_upload' AS Source ,
video_upload.videoid ,
video_upload.tags ,
video_upload.videotitle ,
video_upload.videofile
FROM video_upload
INNER JOIN @SearchTerms ST
ON video_upload.tags LIKE ST.Term
END
当前使用基于用户输入的动态SQL的方法容易受到SQL注入的影响。我对它进行了修改,以便将搜索词放入一个表变量中,然后将其连接起来。这样更安全 此外,我不确定所需的语义。动态SQL WHERE子句是WHERE phot_album.tags(如“++@strearch+”或trailor_creation.tags(如“++@strearch+”)或video_upload.tags(如“++@strearch 但您的JOIN子句会带回在标记上连接的记录。在这种情况下,所有表中的标记值都相同,只需检查其中一个
CREATE PROCEDURE [dbo].[videos_getSearch](@searchstring AS VARCHAR(1000))
AS
BEGIN
DECLARE @CurNumber INT, @CommaIndex INT, @strSearch VARCHAR(3000),@STR VARCHAR(50)
DECLARE @strQuery VARCHAR(1000),@RESULT VARCHAR(5000)
DECLARE @SQL VARCHAR(2000)
DECLARE @CurNumStr VARCHAR(20)
WHILE LEN(@searchstring) > 0
BEGIN
SET @CommaIndex = CHARINDEX(',', @searchstring)
IF @CommaIndex = 0 SET @CommaIndex = LEN(@searchstring)+1
SET @CurNumStr = SUBSTRING(@searchstring, 1, @CommaIndex-1)
SET @searchstring = SUBSTRING(@searchstring, @CommaIndex+1, LEN(@searchstring))
DECLARE @SearchTerms TABLE
(
Term VARCHAR(50)
)
BEGIN
SET @STR = LTRIM(RTRIM(@CurNumStr))
INSERT INTO @SearchTerms VALUES (@STR)
END
END
SELECT phot_album.albumid ,
phot_album.tags ,
phot_album.albumtitle ,
phot_album.coverphoto ,
trailor_creation.trailorid,
trailor_creation.tags ,
trailor_creation.movie ,
trailor_creation.images ,
video_upload.videoid ,
video_upload.videotitle ,
video_upload.videofile ,
video_upload.tags
FROM phot_album
INNER JOIN trailor_creation
ON phot_album.tags = trailor_creation.tags
INNER JOIN video_upload
ON phot_album.tags = video_upload.tags
INNER JOIN @SearchTerms ST
ON phot_album.tags LIKE '%' + ST.Term + '%'
END
CREATE PROCEDURE [dbo].[videos_getSearch]
(
@searchstring AS VARCHAR(1000)
)
AS
BEGIN
DECLARE @SearchTerms TABLE
(
Term VARCHAR(50)
)
DECLARE @CommaIndex INT
DECLARE @CurNumStr VARCHAR(20)
WHILE LEN(@searchstring) > 0
BEGIN
SET @CommaIndex = CHARINDEX(',', @searchstring)
IF @CommaIndex = 0
SET @CommaIndex = LEN(@searchstring)+1
SET @CurNumStr = SUBSTRING(@searchstring, 1, @CommaIndex-1)
SET @searchstring = SUBSTRING(@searchstring, @CommaIndex+1, LEN(@searchstring))
BEGIN
INSERT
INTO @SearchTerms VALUES
('%' + LTRIM(RTRIM(@CurNumStr)) + '%')
END
END
SELECT 'phot_album' AS Source ,
phot_album.albumid AS entityId ,
phot_album.tags ,
phot_album.albumtitle AS title ,
phot_album.coverphoto AS image
FROM phot_album
INNER JOIN @SearchTerms ST
ON phot_album.tags LIKE ST.Term
UNION ALL
SELECT 'trailor_creation' AS Source ,
trailor_creation.trailorid ,
trailor_creation.tags ,
trailor_creation.movie ,
trailor_creation.images
FROM trailor_creation
INNER JOIN @SearchTerms ST
ON trailor_creation.tags LIKE ST.Term
UNION ALL
SELECT 'video_upload' AS Source ,
video_upload.videoid ,
video_upload.tags ,
video_upload.videotitle ,
video_upload.videofile
FROM video_upload
INNER JOIN @SearchTerms ST
ON video_upload.tags LIKE ST.Term
END
Ye Verdan先生,我怎么能说标签是这个表呢?你能解决这个查询吗?谢谢你的回答。正如上面所说,你必须指定这个表,但是在查看你的查询后,我发现你在3个不同的表中使用了与where子句相同的字符串。phot_album.tags(如“++@strearch+”)或trailor_creation.tags(如“++@strearch+”)或video_upload.tags(如“++@strearch”)恐怕在这种情况下,您必须更改查询中的某些内容,您将无法使用相同的where子句字符串使用它。顺便说一句,我不知道它是否只是在帖子中,但似乎你忘了在@strearchmr的末尾加上@searchstring。Verdan感谢您的回复,但如果您不介意,我不明白您是否可以修改该查询谢谢我在sql查询方面没有那么强。是的,Verdan先生,我怎么能说标签是这个表呢?您可以解决此查询吗?谢谢您的回复如前所述,您必须指定表,但是在查看您的查询之后,我发现您在3个不同的表中使用了与where子句相同的字符串。phot_album.tags(如“++@strearch+”)或trailor_creation.tags(如“++@strearch+”)或video_upload.tags(如“++@strearch”)恐怕在这种情况下,您必须更改查询中的某些内容,您将无法使用相同的where子句字符串使用它。顺便说一句,我不知道它是否只是在帖子中,但似乎你忘了在@strearchmr的末尾加上@searchstring。Verdan感谢您的回复,但如果您不介意的话,我不明白您是否可以修改该查询谢谢您我在sql查询方面没有那么强。ck如何指定表名。你能告诉我吗。感谢您的回复您需要在手前添加正确的表名并加上句号。之间,与select语句中相同。ck先生,如果您不介意,可以根据我的要求更改查询吗?这是非常紧急的。谢谢你,先生。ck如何指定表名。你能告诉我吗。感谢您的回复您需要在手前添加正确的表名并加上句号。介于之间,与“选择州”中的相同
t、 如果您不介意的话,请根据我的要求更改查询。这是非常紧急的。谢谢小心,此函数可能受到SQL攻击。我看到您已将我的答案标记为已接受。只是想让你知道,如果你不知道的话,这不会再自动奖励奖金了!小心,此函数容易受到SQL攻击。我看到您已将我的答案标记为已接受。只是想让你知道,如果你不知道的话,这不会再自动奖励奖金了!