Sql server 如何在使用EXEC sp_executesql的可执行sql存储过程中动态构建like子句?
当我传入@NameSubstring参数时,以下存储过程在execpt中正常工作。我知道我没有正确地动态构建like子句。当此参数还需要作为过程底部附近的EXEC sp_executesql调用中的参数传递时,如何构建like子句Sql server 如何在使用EXEC sp_executesql的可执行sql存储过程中动态构建like子句?,sql-server,Sql Server,当我传入@NameSubstring参数时,以下存储过程在execpt中正常工作。我知道我没有正确地动态构建like子句。当此参数还需要作为过程底部附近的EXEC sp_executesql调用中的参数传递时,如何构建like子句 ALTER PROCEDURE [dbo].[spGetAutoCompleteList] ( @AutoCompleteID int, @StatusFlag int, @NameSubstring varchar(100), @
ALTER PROCEDURE [dbo].[spGetAutoCompleteList]
(
@AutoCompleteID int,
@StatusFlag int,
@NameSubstring varchar(100),
@CompanyID int,
@ReturnMappings bit,
@ReturnData bit
)
AS
DECLARE @ErrorCode int,
@GetMappings nvarchar(500),
@Debug bit,
@Select AS NVARCHAR(4000),
@From AS NVARCHAR(4000),
@Where AS NVARCHAR(4000),
@Sql AS NVARCHAR(4000),
@Parms AS NVARCHAR(4000)
SET @ErrorCode = 0
SET @Debug = 1
BEGIN TRAN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
IF @AutoCompleteID IS NOT NULL OR @StatusFlag IS NOT NULL OR @NameSubstring IS NOT NULL
BEGIN
SET @Select = '
SELECT ac.AutoCompleteID,
ac.AutoCompleteName,
ac.CompanyID,
ac.StatusFlag,
ac.OwnerOperID,
ac.CreateDT,
ac.CreateOperID,
ac.UpdateDT,
ac.UpdateOperID,
ac.SubmitOperID,
ac.SubmitDT,
ac.ReviewComments'
SET @GetMappings = '
Select ac.AutoCompleteID'
IF @ReturnData = 1
BEGIN
SET @Select = @Select + '
, ac.AutoCompleteData'
END
SET @From = '
FROM tbAutoComplete ac'
SET @Where = '
WHERE 1=1'
IF @AutoCompleteID IS NOT NULL
BEGIN
SET @Where = @Where + '
AND ac.AutoCompleteID = CAST(@AutoCompleteID AS nvarchar)'
END
IF @StatusFlag IS NOT NULL
BEGIN
SET @Where = @Where + '
AND ac.StatusFlag = CAST(@StatusFlag AS nvarchar)'
END
IF @NameSubstring IS NOT NULL
BEGIN
SET @Where = @Where + '
AND ac.AutoCompleteName like @NameSubstring' + '%'
END
SET @Where = @Where + '
AND ac.CompanyID = + CAST(@CompanyID AS nvarchar)'
SET @Sql = @Select + @From + @Where
SET @Parms = '
@AutoCompleteID int,
@StatusFlag int,
@NameSubstring varchar(100),
@CompanyID int'
EXEC sp_executesql @Sql,
@Parms,
@AutoCompleteID,
@StatusFlag,
@NameSubstring,
@CompanyID
IF @ReturnMappings = 1
BEGIN
SET @GetMappings = 'Select * FROM tbAutoCompleteMap acm WHERE acm.AutoCompleteID IN(' + @GetMappings + @From + @Where + ')'
--EXEC sp_executesql @GetMappings
END
IF @Debug = 1
BEGIN
PRINT @GetMappings
PRINT @Sql
END
END
SELECT @ErrorCode = @ErrorCode + @@ERROR
IF @ErrorCode <> 0
BEGIN
SELECT '<FaultClass>1</FaultClass><FaultCode>1</FaultCode>'
+ '<FaultDesc>Internal Database Error.</FaultDesc>'
+ '<FaultDebugInfo>(spGetAutoCompleteList): There was an error while trying to SELECT from tbAutoComplete.</FaultDebugInfo>'
ROLLBACK TRAN
RETURN
END
COMMIT TRAN
将@Where=@Where+'和ac.AutoCompleteName设置为%'+@NameSubstring+'%'这样,您会问在使用动态查询和sp_executesql时如何指定参数 可以这样做:
DECLARE /* ... */
SET @SQLString = N'SELECT @LastlnameOUT = max(lname) FROM pubs.dbo.employee WHERE job_lvl = @level'
SET @ParmDefinition = N'@level tinyint, @LastlnameOUT varchar(30) OUTPUT'
SET @IntVariable = 35
EXECUTE sp_executesql @SQLString, @ParmDefinition, @level = @IntVariable, @LastlnameOUT=@Lastlname OUTPUT
您可以在此处阅读更多信息:@NameString需要在引号之外。要将@NameString%括在引号中,可以使用两个单引号将引号字符转义为文字
SET @Where = @Where + '
AND ac.AutoCompleteName like ''' + @NameSubstring + '%'''
如果不使用动态SQL,这可能不会成为问题。在我看来,一个普通的查询也能很好地工作,并且更易于阅读和调试。考虑以下事项:
SELECT ac.AutoCompleteID,
ac.AutoCompleteName,
ac.CompanyID,
ac.StatusFlag,
ac.OwnerOperID,
ac.CreateDT,
ac.CreateOperID,
ac.UpdateDT,
ac.UpdateOperID,
ac.SubmitOperID,
ac.SubmitDT,
ac.ReviewComments
FROM tbAutoComplete ac
WHERE ((ac.AutoCompleteID = CAST(@AutoCompleteID AS nvarchar) OR (@AutoCompleteID IS NULL))
AND ((ac.StatusFlag = CAST(@StatusFlag AS nvarchar)) OR (@StatusFlag IS NULL))
AND ((ac.AutoCompleteName like @NameSubstring + '%') OR (@NameSubstring IS NULL))
AND ((ac.CompanyID = CAST(@CompanyID AS nvarchar)) OR (@CompanyID IS NULL))
这更简单、更清晰等。祝你好运 为了避免SQL注入,在将参数添加到SQL语句时不要使用连接。我强烈建议您使用以下格式:
IF @NameSubstring IS NOT NULL BEGIN
SET @Where += 'AND ac.AutoCompleteName LIKE @NameSubstring + char(37)'
END
通过使用char37而不是“%”,可以避免在字符串文字周围转义撇号
如果您想在任意一侧放置通配符,那么可以使用
IF @NameSubstring IS NOT NULL BEGIN
SET @Where += 'AND ac.AutoCompleteName LIKE char(37) + @NameSubstring + char(37)'
END
---------------------------------------
如果有人认为我错了,这里有证据证明串联是一种风险
IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[TestInjection]') AND type in (N'U')) BEGIN
create table TestInjection(ID int, Value nvarchar(10))
insert into TestInjection (ID,Value)
Values
(1,'Tom'),
(2,'Fred'),
(3,'Betty'),
(4,'Betty2'),
(5,'Betty3'),
(6,'George')
END
declare @NameSubstring nvarchar(1000) = 'Bet'
--declare @NameSubstring nvarchar(1000) = 'Bet%'';delete from TestInjection;select * from TestInjection where value = ''x'
declare @ID int = 2
Declare @sql nvarchar(1000) = 'select * from TestInjection where ID > @ID '
SET @sql +=' AND [Value] like ''' + @NameSubstring + '%'''
Declare @params nvarchar(100) = '@ID int'
exec sp_executesql @sql, @params, @ID
select * from TestInjection
第一次运行它,您将得到一个包含3条记录的结果集,另一个包含所有6条记录
现在,将@NameSubstring的声明替换为替代声明,然后重新运行。表中的所有数据都已删除
另一方面,如果您编写的代码如下:
declare @NameSubstring nvarchar(1000) = 'Bet'
--declare @NameSubstring nvarchar(1000) = 'Bet%'';delete from TestInjection;select * from TestInjection where value = ''x'
declare @ID int = 2
Declare @sql nvarchar(1000) = 'select * from TestInjection where ID > @ID '
SET @sql +=' AND [Value] LIKE @NameSubstring + char(37)'
Declare @params nvarchar(100) = '@ID int, @NameSubstring nvarchar(1000)'
exec sp_executesql @sql, @params, @ID, @NameSubstring
select * from TestInjection
然后您仍然会得到第一次返回的3条记录,但更改声明时不会丢失数据。您的意思是在原始代码中未指定的@NameString前面添加%吗?@Joe Stefaneli,这对SQL注入开放吗?我想试试这个,但我想确保这一点。谢谢,我不知道为什么会投反对票。如果有人真的认为答案不好,我添加了SQL,您可以运行它作为证明。