带有“IN”语句的sp_executesql
我试图在SQL 2005中使用sp_executesql来防止SQL注入,我有一个简单的查询,如下所示:带有“IN”语句的sp_executesql,sql,sql-server-2005,tsql,sp-executesql,Sql,Sql Server 2005,Tsql,Sp Executesql,我试图在SQL 2005中使用sp_executesql来防止SQL注入,我有一个简单的查询,如下所示: SELECT * from table WHERE RegionCode in ('X101', 'B202') 但是,当我使用sp_executesql执行以下命令时,它不会返回任何内容 Set @Cmd = N'SELECT * FROM table WHERE RegionCode in (@P1)' SET @ParamDefinition = N'@P1 varchar(100)
SELECT * from table WHERE RegionCode in ('X101', 'B202')
Set @Cmd = N'SELECT * FROM table WHERE RegionCode in (@P1)'
SET @ParamDefinition = N'@P1 varchar(100)';
DECLARE @Code as nvarchar(100);
SET @Code = 'X101,B202'
EXECUTE sp_executesql @Cmd, @ParamDefinition, @P1 = @Code
SET @Code = 'X101' <-- This works, it returns a single region
SET @Code = 'X101,B202' <--- Returns nothing
SET @Code = '''X101'',''B202''' <-- Returns nothing
请帮忙。。。。我做错了什么?它不起作用的原因是@P1被视为一个单一的值 e、 g.当@Code为X101、B202时,查询的运行方式为: 从“X101,B202”中区域编码所在的表中选择* 因此,它正在寻找一个RegionCode,其值包含在@P1中。即使包含单引号,也意味着它在RegionCode中搜索的值应该包含这些单引号 您需要将@Code变量实际连接到@Cmd sql命令文本中,以使其按照您的想法工作:
SET @Code = '''X101'',''B202'''
SET @Cmd = 'SELECT * FROM Table WHERE RegionCode IN (' + @Code + ')'
EXECUTE (@Cmd)
如果您使用的是SQL Server 2008,那么表值参数将是最佳选择—这是我在该链接中演示的第三种方法,效果最好。看起来问题在于单个参数。实际上,你最终会得到:
SELECT * from table WHERE RegionCode in ('X101,B202')
Set @Cmd = N'SELECT * FROM table WHERE RegionCode in (@P1,@P2)'
SET @Code1 = 'X101'
SET @Code2 = 'B202'
但是,如果列表中有两个以上的项,则可能需要使用另一种方法,可能是使用临时表或表值参数。在SQL Server中有许多方法可以拆分字符串。本文介绍了几乎每种方法的优缺点: 您需要创建一个拆分函数。这就是拆分函数的使用方式:
SELECT
*
FROM YourTable y
INNER JOIN dbo.yourSplitFunction(@Parameter) s ON y.ID=s.Value
SELECT TOP 10000 IDENTITY(int,1,1) AS Number
INTO Numbers
FROM sys.objects s1
CROSS JOIN sys.objects s2
ALTER TABLE Numbers ADD CONSTRAINT PK_Numbers PRIMARY KEY CLUSTERED (Number)
CREATE FUNCTION [dbo].[FN_ListToTable]
(
@SplitOn char(1) --REQUIRED, the character to split the @List string on
,@List varchar(8000)--REQUIRED, the list to split apart
)
RETURNS TABLE
AS
RETURN
(
----------------
--SINGLE QUERY-- --this will not return empty rows
----------------
SELECT
ListValue
FROM (SELECT
LTRIM(RTRIM(SUBSTRING(List2, number+1, CHARINDEX(@SplitOn, List2, number+1)-number - 1))) AS ListValue
FROM (
SELECT @SplitOn + @List + @SplitOn AS List2
) AS dt
INNER JOIN Numbers n ON n.Number < LEN(dt.List2)
WHERE SUBSTRING(List2, number, 1) = @SplitOn
) dt2
WHERE ListValue IS NOT NULL AND ListValue!=''
);
GO
CREATE TABLE YourTable (PK int primary key, RowValue varchar(5))
INSERT YourTable VALUES (1,'A')
INSERT YourTable VALUES (2,'BB')
INSERT YourTable VALUES (3,'CCC')
INSERT YourTable VALUES (4,'DDDD')
INSERT YourTable VALUES (5,'EEE')
INSERT YourTable VALUES (6,'FF')
INSERT YourTable VALUES (7,'G')
DECLARE @SQL nvarchar(1000)
,@ParamDefinition nvarchar(1000)
,@ParamValue varchar(100)
SELECT @SQL = N'SELECT * FROM YourTable WHERE PK IN (SELECT ListValue FROM dbo.FN_ListToTable('','',@P1))'
,@ParamDefinition = N'@P1 varchar(100)'
,@ParamValue = '2,4,,,6,,8,,2,,4'
EXECUTE sp_executesql @SQL, @ParamDefinition, @P1 = @ParamValue
PK RowValue
----------- --------
2 BB
4 DDDD
6 FF
(3 row(s) affected)
你解决了这个问题了吗,或者你能为这个问题添加更多的细节吗?
CREATE TABLE YourTable (PK int primary key, RowValue varchar(5))
INSERT YourTable VALUES (1,'A')
INSERT YourTable VALUES (2,'BB')
INSERT YourTable VALUES (3,'CCC')
INSERT YourTable VALUES (4,'DDDD')
INSERT YourTable VALUES (5,'EEE')
INSERT YourTable VALUES (6,'FF')
INSERT YourTable VALUES (7,'G')
DECLARE @SQL nvarchar(1000)
,@ParamDefinition nvarchar(1000)
,@ParamValue varchar(100)
SELECT @SQL = N'SELECT * FROM YourTable WHERE PK IN (SELECT ListValue FROM dbo.FN_ListToTable('','',@P1))'
,@ParamDefinition = N'@P1 varchar(100)'
,@ParamValue = '2,4,,,6,,8,,2,,4'
EXECUTE sp_executesql @SQL, @ParamDefinition, @P1 = @ParamValue
PK RowValue
----------- --------
2 BB
4 DDDD
6 FF
(3 row(s) affected)