如何使用sp_ExecuteSql对名称在变量中的数据库运行带参数的查询
我在Windows Server 2016中与Microsoft SQL Server 2016合作 我有一个带有1个参数的查询,字符串类型如何使用sp_ExecuteSql对名称在变量中的数据库运行带参数的查询,sql,sql-server,sp-executesql,Sql,Sql Server,Sp Executesql,我在Windows Server 2016中与Microsoft SQL Server 2016合作 我有一个带有1个参数的查询,字符串类型 select PH.project_name, PD.employee_id, E.first_name, E.last_name from project_header PH inner join project_detail PD on PD.project_id = PH.project_id inner join employee E on E
select PH.project_name, PD.employee_id, E.first_name, E.last_name
from project_header PH
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name = @ProjectName
order by 1, 2;
其中@ProjectName
是varchar(50)类型
我必须编写一个proc,它接收两个参数:数据库名称和项目名称:
@a_database_name varchar(100),
@a_project_name varchar(50)
我想运行上面的查询,将@a_project_name
作为参数传递给查询。我想使用sp\u executeSQL
对@a\u database\u name
变量中提供的数据库运行查询。我该怎么做
我知道如何在没有
sp\u executeSQL
的情况下执行此任务。我想知道如何使用sp_executeSQL
?来创建该过程:
create procedure ProcName @a_database_name varchar(100),@a_project_name varchar(50)
as
begin
EXEC('USE ' + @a_database_name + ';select PH.project_name, PD.employee_id, E.first_name, E.last_name
from project_header PH
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= '+@a_project_name+' order by 1, 2;')
end
但它有SQL注入风险-如果提供了一个数据库名,则其中包含“删除数据库”。但是,如果您信任调用此过程的系统,则可以继续
或者,您可以使用以下查询,但其中不包含“use databasename”:
使用sp\u executesql进行查询:
create procedure ProcName @a_database_name varchar(100),@a_project_name varchar(50)
as
begin
DECLARE @SqlStatment AS NVARCHAR(1000)
SET @SqlStatment = 'select PH.project_name, PD.employee_id, E.first_name, E.last_name
from '+@a_database_name+'.dbo.project_header PH
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name order by 1, 2;'
EXECUTE sp_executesql @SqlStatment ,N'@a_project_name varchar',@a_project_name
end
create procedure ProcName @a_database_name varchar(100),@a_project_name varchar(50)
as
begin
declare @sp_executesql as nvarchar(1000)
SELECT @sp_executesql = quotename(@a_database_name) + '.sys.sp_executesql'
EXEC @sp_executesql N'select PH.project_name, PD.employee_id, E.first_name, E.last_name
from project_header PH inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name order by 1, 2;',N'@a_project_name nvarchar(100)', @a_project_name;
end
修改后的答案:
create procedure ProcName @a_database_name varchar(100),@a_project_name varchar(50)
as
begin
DECLARE @SqlStatment AS NVARCHAR(1000)
SET @SqlStatment = 'select PH.project_name, PD.employee_id, E.first_name, E.last_name
from '+@a_database_name+'.dbo.project_header PH
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name order by 1, 2;'
EXECUTE sp_executesql @SqlStatment ,N'@a_project_name varchar',@a_project_name
end
create procedure ProcName @a_database_name varchar(100),@a_project_name varchar(50)
as
begin
declare @sp_executesql as nvarchar(1000)
SELECT @sp_executesql = quotename(@a_database_name) + '.sys.sp_executesql'
EXEC @sp_executesql N'select PH.project_name, PD.employee_id, E.first_name, E.last_name
from project_header PH inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name order by 1, 2;',N'@a_project_name nvarchar(100)', @a_project_name;
end
但此解决方案没有使用
sp_executeSQL
。我更喜欢使用sp_executeSQL
ok的解决方案。让我重写。@srh请现在检查我是否正确。不工作。另外,我希望@a_数据库\u名称
参数化,就像@a_项目\u名称
数据库是sql server一样。对吗?