Sql server Msg 137,级别15,状态2,第29行必须声明标量变量@活动“U状态”;
外部变量和参数不在Sql server Msg 137,级别15,状态2,第29行必须声明标量变量@活动“U状态”;,sql-server,Sql Server,外部变量和参数不在EXECUTE(@SQL)的范围内 您需要改为使用,并将它们作为参数传入 此外,您还应该了解SQL注入。如果参数(如@REQUESTOR\u DEPT来自不可信的来源(如用户输入),则您可能会受到攻击,因为您只是将它们直接连接到查询中。尝试创建一个小型回购来演示此问题。感谢Martin Smith,但是如何在sp_executesql中传递参数。@user2881261-我答案中的链接在页面底部有示例。 ALTER PROCEDURE [dbo].[S_EDIT_USER] (
EXECUTE(@SQL)的范围内代码>
您需要改为使用,并将它们作为参数传入
此外,您还应该了解SQL注入。如果参数(如@REQUESTOR\u DEPT
来自不可信的来源(如用户输入),则您可能会受到攻击,因为您只是将它们直接连接到查询中。尝试创建一个小型回购来演示此问题。感谢Martin Smith,但是如何在sp_executesql中传递参数。@user2881261-我答案中的链接在页面底部有示例。
ALTER PROCEDURE [dbo].[S_EDIT_USER] (@DSA_CODE VARCHAR(10),
@REQUESTOR_DEPT VARCHAR(40),
@ACTIVE_STATUS INT,
@MAKER_ID VARCHAR(10),
@MAKER_IP VARCHAR(20),
@ERROR_CODE INT OUTPUT)
AS
BEGIN
DECLARE @CNT INT;
DECLARE @SQL NVARCHAR(MAX);
SELECT @CNT = COUNT(*)
FROM TMAS_UAM_USER_TMP
WHERE DSA_CODE = @DSA_CODE;
IF @CNT > 0
SET @ERROR_CODE = 1;
ELSE
SET @ERROR_CODE = 0;
IF @REQUESTOR_DEPT = 'N'
SET @REQUESTOR_DEPT = '';
ELSE
SET @REQUESTOR_DEPT = @REQUESTOR_DEPT;
PRINT @REQUESTOR_DEPT;
IF @ERROR_CODE = 0
SET @SQL = 'INSERT INTO TMAS_UAM_USER_TMP (
DSA_CODE
,DSA_NAME
,DSA_CITY
,DSA_PRODUCT
,DSA_PHNO
,DSA_MOBNO
,DSA_RQSTR
,DSA_RQSTR_DEPT
,GROUP_ID
,ACTIVE_STATUS
,REQ_TYPE
,LAST_LOGED_IN
,CREATED_ID
,CREATED_IP
,CREATED_DATE
,MAKER_ID
,MAKER_IP
,MAKER_DATE
) SELECT DSA_COD
,DSA_NAM
,DSA_CTY
,PRODUCT
,DSA_PHO
,DSA_MOB
,REQUESTOR
,' + @REQUESTOR_DEPT + '
,GROUP_ID
,@ACTIVE_STATUS
,1
,LAST_LOG_DAT
,CREATED_ID
,CREATED_IP
,CREATED_DATE
,' + @MAKER_ID + '
,' + @MAKER_IP + '
,GETDATE()
FROM DSA_MST WHERE DSA_COD = ' + @DSA_CODE + ' and ';
IF @REQUESTOR_DEPT = 'N'
BEGIN
SET @SQL = @SQL + 'REQUESTOR_DEPT is null';
PRINT( 'If Query' + @SQL );
END
ELSE
BEGIN
SET @SQL = @SQL + 'REQUESTOR_DEPT = ''' + @REQUESTOR_DEPT + '''';
PRINT( 'Else Query' + @SQL );
END
EXECUTE (@SQL);
RETURN @ERROR_CODE;
END