SQL SERVER 2008动态查询问题
我有一个动态查询,如下所示SQL SERVER 2008动态查询问题,sql,sql-server,Sql,Sql Server,我有一个动态查询,如下所示 Alter PROCEDURE dbo.mySP -- Add the parameters for the stored procedure here ( @DBName varchar(50), @tblName varchar(50) ) AS BEGIN -- SET NOCOUNT ON added to prevent extra result sets from -- interfering
Alter PROCEDURE dbo.mySP
-- Add the parameters for the stored procedure here
(
@DBName varchar(50),
@tblName varchar(50)
)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
-- Insert statements for procedure here
declare @string as varchar(50)
declare @string1 as varchar(50)
set @string1 = '[' + @DBName + ']' + '.[dbo].' + '[' + @tblName + ']'
set @string = 'select * from ' + @string1
exec @string
dbo.mySP 'dbtest1','tblTest'
结束
我是这样打电话的
Alter PROCEDURE dbo.mySP
-- Add the parameters for the stored procedure here
(
@DBName varchar(50),
@tblName varchar(50)
)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
-- Insert statements for procedure here
declare @string as varchar(50)
declare @string1 as varchar(50)
set @string1 = '[' + @DBName + ']' + '.[dbo].' + '[' + @tblName + ']'
set @string = 'select * from ' + @string1
exec @string
dbo.mySP 'dbtest1','tblTest'
我遇到了一个错误
"Msg 203, Level 16, State 2, Procedure mySP, Line 27
The name 'select * from [dbtest1].[dbo].[tblTest]' is not a valid identifier."
怎么了?如何克服
提前感谢更改
exec @string
到
这是我刚刚测试的一个工作SP:
CREATE PROCEDURE [dbo].[test]
@DBName varchar(50),
@tblName varchar(50)
AS
BEGIN
SET NOCOUNT ON;
DECLARE @string AS VARCHAR(50)
DECLARE @string1 AS VARCHAR(50)
SET @string1 = '[' + @DBName + '].[dbo].[' + @tblName + ']'
SET @string = 'select * from ' + @string1
EXEC(@string)
END
它认为
@string
的内容指的是存储过程名称。你需要把
EXEC (@string)
或者最好使用存储过程sp_executesql
您还应该设置一些保护代码,以检查传入的值是否为实际表和数据库的名称。您可以查询信息模式中的视图以验证输入
您可以在我的博客上阅读更多信息。如果您将EXEC用作:
EXEC @String
EXEC (@Query)
它正在尝试使用@String变量中包含的名称运行过程。试一试:
create procedure TestProc
as
print 'you called TestProc!'
go
declare @string varchar(20)
set @string='TestProc'
exec @string
DECLARE @Query varchar(50)
set @Query='Print ''just ran it!'''
EXEC (@Query)
如果将EXEC用作:
EXEC @String
EXEC (@Query)
在@Query变量中运行sql,请尝试:
create procedure TestProc
as
print 'you called TestProc!'
go
declare @string varchar(20)
set @string='TestProc'
exec @string
DECLARE @Query varchar(50)
set @Query='Print ''just ran it!'''
EXEC (@Query)
我真的希望你检查一下SQL注入的地方……我认为任何人都会考虑编写这样的SP。请阅读:你改变了什么?为什么这能回答这个问题?