Fatal编程技术网
  • sql/
  • SQL SERVER 2008动态查询问题

SQL SERVER 2008动态查询问题

sql sql-server

SQL SERVER 2008动态查询问题,sql,sql-server,Sql,Sql Server,我有一个动态查询,如下所示 Alter PROCEDURE dbo.mySP -- Add the parameters for the stored procedure here ( @DBName varchar(50), @tblName varchar(50) ) AS BEGIN -- SET NOCOUNT ON added to prevent extra result sets from -- interfering

我有一个动态查询,如下所示

Alter PROCEDURE dbo.mySP 
    -- Add the parameters for the stored procedure here
    (
        @DBName varchar(50),
        @tblName varchar(50)

    )

AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;

-- Insert statements for procedure here
declare @string as varchar(50)
declare @string1 as varchar(50)

set @string1  = '[' + @DBName + ']' + '.[dbo].' + '[' + @tblName + ']'

set @string = 'select * from ' + @string1   

exec @string

dbo.mySP 'dbtest1','tblTest'
结束

我是这样打电话的

Alter PROCEDURE dbo.mySP 
    -- Add the parameters for the stored procedure here
    (
        @DBName varchar(50),
        @tblName varchar(50)

    )

AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;

-- Insert statements for procedure here
declare @string as varchar(50)
declare @string1 as varchar(50)

set @string1  = '[' + @DBName + ']' + '.[dbo].' + '[' + @tblName + ']'

set @string = 'select * from ' + @string1   

exec @string

dbo.mySP 'dbtest1','tblTest'
我遇到了一个错误

"Msg 203, Level 16, State 2, Procedure mySP, Line 27
The name 'select * from [dbtest1].[dbo].[tblTest]' is not a valid identifier."
怎么了?如何克服

提前感谢

更改

exec @string

这是我刚刚测试的一个工作SP:

CREATE PROCEDURE [dbo].[test] 
    @DBName varchar(50),
    @tblName varchar(50)
AS
BEGIN
    SET NOCOUNT ON;

    DECLARE @string AS VARCHAR(50)
    DECLARE @string1 AS VARCHAR(50)

    SET @string1 = '[' + @DBName + '].[dbo].[' + @tblName + ']'
    SET @string = 'select * from ' + @string1

    EXEC(@string)
END
它认为
@string
的内容指的是存储过程名称。你需要把

EXEC (@string)
或者最好使用存储过程
sp_executesql

您还应该设置一些保护代码,以检查传入的值是否为实际表和数据库的名称。您可以查询信息模式中的视图以验证输入

您可以在我的博客上阅读更多信息。

如果您将EXEC用作:

EXEC @String

EXEC (@Query)
它正在尝试使用@String变量中包含的名称运行过程。试一试:

create procedure TestProc
as
print 'you called TestProc!'
go

declare @string varchar(20)
set @string='TestProc'

exec @string

DECLARE @Query  varchar(50)
set @Query='Print ''just ran it!'''

EXEC (@Query)
如果将EXEC用作:

EXEC @String

EXEC (@Query)
在@Query变量中运行sql,请尝试:

create procedure TestProc
as
print 'you called TestProc!'
go

declare @string varchar(20)
set @string='TestProc'

exec @string

DECLARE @Query  varchar(50)
set @Query='Print ''just ran it!'''

EXEC (@Query)
我真的希望你检查一下SQL注入的地方……我认为任何人都会考虑编写这样的SP。请阅读:你改变了什么?为什么这能回答这个问题?