在SQL中,使用拒绝更新时如何引用参数/变量?
上述代码生成一条错误消息:在SQL中,使用拒绝更新时如何引用参数/变量?,sql,sql-server,variables,parameters,Sql,Sql Server,Variables,Parameters,上述代码生成一条错误消息: CREATE PROCEDURE cspFieldAccess @Tbl varchar(20), @Fld varchar(20), @Usr varchar(35), @Dny varchar(5), @All varchar(5) AS IF @Dny = 'Y' and @All = 'Y' DENY UPDATE ON [@Tbl] ([@Fld]) TO [MCCOSKERS\ViewPoint Production Users] ; ELSE IF @
CREATE PROCEDURE cspFieldAccess
@Tbl varchar(20),
@Fld varchar(20),
@Usr varchar(35),
@Dny varchar(5),
@All varchar(5)
AS
IF @Dny = 'Y' and @All = 'Y'
DENY UPDATE ON [@Tbl] ([@Fld]) TO [MCCOSKERS\ViewPoint Production Users] ;
ELSE IF @Dny = 'Y' and @All = 'N'
DENY UPDATE ON [@Tbl] ([@Fld]) TO [@Usr] ;
ELSE IF @Dny = 'N' and @All = 'Y'
GRANT UPDATE ON [@Tbl] ([@Fld]) TO [MCCOSKERS\ViewPoint Production Users] ;
ELSE IF @Dny = 'N' and @All = 'N'
DENY UPDATE ON [@Tbl] ([@Fld]) TO [@Usr] ;
EXEC cspFieldAccess 'HQRV', RevEmail, 'MCCOSKERS\PGunston', Y, N
我不希望查询查找名为“@Tbl”的表,而是希望它查找分配给@Tbl参数的值
我怎样才能做到这一点
下面的查询SQL Server已被解释,因此表达式是您键入时的求值表达式。要替换中的变量,需要使用动态SQL。但是,要小心,因为exec语句会使您打开sql注入的大门
Cannot find the object '@Tbl', because it does not exist or you do not have permission.
您还可以使用Query->SQLCMD模式,并尝试以下使用SQLCMD语法替换变量(如果您喜欢的话)
declare @Tbl varchar(20) = 'foo'
declare @Fld varchar(20) = 'bar'
declare @login varchar(100) = '[MCCOSKERS\ViewPoint Production Users]'
declare @sql varchar(max)
set @sql = 'DENY UPDATE ON [' + @Tbl + '] ([' + @Fld + ']) TO ' + @login + ' ;'
exec(@sql)
使用动态SQL:
:setvar Tbl foo
:setvar Fld bar
DENY UPDATE ON [$(Tbl)] ([$(Fld)]) TO [MCCOSKERS\ViewPoint Production Users];
运行并打印后,确认它看起来正常,然后取消注释EXEC
,然后重试
小心SQL注入,如果用户可以修改变量,您就有风险
declare
@Tbl varchar(20),
@Fld varchar(20),
@sql nvarchar(max)
set @Tbl = 'table'
set @Fld = 'field'
set @sql='DENY UPDATE ON ['+@Tbl+'] (['+@Fld]+') TO [MCCOSKERS\ViewPoint Production Users]'
print @sql
--exec sp_executesql @sql