如何使用sp_ExecuteSql对名称在变量中的数据库运行带参数的查询_Sql_Sql Server_Sp Executesql

如何使用sp_ExecuteSql对名称在变量中的数据库运行带参数的查询

sql sql-server

如何使用sp_ExecuteSql对名称在变量中的数据库运行带参数的查询,sql,sql-server,sp-executesql,Sql,Sql Server,Sp Executesql,我在Windows Server 2016中与Microsoft SQL Server 2016合作我有一个带有1个参数的查询，字符串类型 select PH.project_name, PD.employee_id, E.first_name, E.last_name from project_header PH inner join project_detail PD on PD.project_id = PH.project_id inner join employee E on E

我在Windows Server 2016中与Microsoft SQL Server 2016合作

我有一个带有1个参数的查询，字符串类型

select PH.project_name, PD.employee_id, E.first_name, E.last_name 
from project_header PH 
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name = @ProjectName
order by 1, 2;

其中

@ProjectName

是varchar（50）类型

我必须编写一个proc，它接收两个参数：数据库名称和项目名称：

@a_database_name varchar(100),
@a_project_name varchar(50)

我想运行上面的查询，将

@a_project_name

作为参数传递给查询。我想使用

sp\u executeSQL

对

@a\u database\u name

变量中提供的数据库运行查询。我该怎么做

我知道如何在没有

sp\u executeSQL

的情况下执行此任务。我想知道如何使用

sp_executeSQL

？

来创建该过程：

create procedure ProcName  @a_database_name varchar(100),@a_project_name varchar(50)
as
begin

EXEC('USE ' + @a_database_name + ';select PH.project_name, PD.employee_id, E.first_name, E.last_name 
from project_header PH 
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= '+@a_project_name+'  order by 1, 2;')
end

但它有SQL注入风险-如果提供了一个数据库名，则其中包含“删除数据库”。但是，如果您信任调用此过程的系统，则可以继续

或者，您可以使用以下查询，但其中不包含“use databasename”：

使用sp\u executesql进行查询：

create procedure ProcName  @a_database_name varchar(100),@a_project_name varchar(50)
as
begin
DECLARE  @SqlStatment AS NVARCHAR(1000)
SET @SqlStatment = 'select PH.project_name, PD.employee_id, E.first_name, E.last_name 
from '+@a_database_name+'.dbo.project_header PH 
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name  order by 1, 2;'

EXECUTE sp_executesql @SqlStatment ,N'@a_project_name varchar',@a_project_name


end

create procedure ProcName  @a_database_name varchar(100),@a_project_name varchar(50)
as
begin

declare @sp_executesql as nvarchar(1000)

SELECT @sp_executesql = quotename(@a_database_name) + '.sys.sp_executesql'
EXEC @sp_executesql N'select PH.project_name, PD.employee_id, E.first_name, E.last_name 
from project_header PH inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name  order by 1, 2;',N'@a_project_name nvarchar(100)', @a_project_name;

end

修改后的答案：

create procedure ProcName  @a_database_name varchar(100),@a_project_name varchar(50)
as
begin
DECLARE  @SqlStatment AS NVARCHAR(1000)
SET @SqlStatment = 'select PH.project_name, PD.employee_id, E.first_name, E.last_name 
from '+@a_database_name+'.dbo.project_header PH 
inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name  order by 1, 2;'

EXECUTE sp_executesql @SqlStatment ,N'@a_project_name varchar',@a_project_name


end

create procedure ProcName  @a_database_name varchar(100),@a_project_name varchar(50)
as
begin

declare @sp_executesql as nvarchar(1000)

SELECT @sp_executesql = quotename(@a_database_name) + '.sys.sp_executesql'
EXEC @sp_executesql N'select PH.project_name, PD.employee_id, E.first_name, E.last_name 
from project_header PH inner join project_detail PD on PD.project_id = PH.project_id
inner join employee E on E.employee_id = PD.employee_id
where PH.project_name= @a_project_name  order by 1, 2;',N'@a_project_name nvarchar(100)', @a_project_name;

end

但此解决方案没有使用

sp_executeSQL

。我更喜欢使用

sp_executeSQL

ok的解决方案。让我重写。@srh请现在检查我是否正确。不工作。另外，我希望

@a_数据库\u名称

参数化，就像

@a_项目\u名称

数据库是sql server一样。对吗？