Sql 修改存储过程_Sql_Sql Server_Stored Procedures

Sql 修改存储过程

sql sql-server stored-procedures

Sql 修改存储过程,sql,sql-server,stored-procedures,Sql,Sql Server,Stored Procedures,我有一个存储过程，它根据分类账分录计算可用余额，如下所示。我想编辑并添加一个附加参数；原始SP仅执行此查询： SELECT SUM([amount value]) as [Bal available] FROM [xxxxxxxxxxxx $Ledger Entries] WHERE [Entry No_] ='number_here' 但我希望它能够实现： SELECT SUM([amount value]) as [Bal available] FROM [xxxxxxxxx

我有一个存储过程，它根据分类账分录计算可用余额，如下所示。我想编辑并添加一个附加参数；原始SP仅执行此查询：

SELECT SUM([amount value]) as [Bal available]  
FROM  [xxxxxxxxxxxx $Ledger Entries] 
WHERE [Entry No_] ='number_here'

但我希望它能够实现：

SELECT SUM([amount value]) as [Bal available]  
FROM  [xxxxxxxxxxxx $Ledger Entries] 
WHERE [Transaction Type] ='TYPE1' and [Entry No_] ='number_here'`

有什么建议吗

ALTER PROCEDURE [dbo].[loadbal] 
    (
    @Company_Name varchar(100),
    @EntNo varchar(100)
    )
AS
BEGIN
DECLARE @SQL VARCHAR(4000)
DECLARE @TableName VARCHAR(4000)

SET @TableName='['+@Company_Name+' $Ledger Entries]'

SELECT @SQL = ' SELECT SUM([amount value]) as [Bal available]  
                FROM '+@TableName+' WHERE [Entry No_] ='+@EntNo

EXEC (@SQL)

END

只需更改Select语句，如下所示：

SELECT @SQL = ' SELECT SUM([amount value]) as [Bal available]  FROM '+@TableName+' WHERE [Transaction Type] = ''TYPE1'' AND [Entry No_] ='+@EntNo

SQL查询将如下所示：

 SELECT SUM([amount value]) as [Bal available]  FROM [ $Ledger Entries] WHERE [Transaction Type] = 'TYPE1' AND [Entry No_] = <whatever u have passed here>

有点困惑，因为您似乎已经回答了自己的问题？此代码似乎容易受到SQL注入的影响。假设一个恶意实体设计了这样一种情况，即调用proc时公司名为“Blah]；删除表[用户]；-'我想在存储过程中实现它。下面的解决方案有效，我使用的是“TYPE1”而不是TYPE1