Sql 存储过程中的语法错误
我正在尝试在我的表单上实现搜索功能。过程接受搜索内容作为搜索参数Sql 存储过程中的语法错误,sql,sql-server,stored-procedures,Sql,Sql Server,Stored Procedures,我正在尝试在我的表单上实现搜索功能。过程接受搜索内容作为搜索参数 --[dbo].[sps_selectemployeedetails] 1,10,'aaa' alter PROCEDURE [dbo].[sps_selectemployeedetails] @page INT,@size INT,@search varchar(max)=null AS BEGIN declare @totalrow int DECLARE @offset INT DECLARE @n
--[dbo].[sps_selectemployeedetails] 1,10,'aaa' alter PROCEDURE [dbo].[sps_selectemployeedetails] @page INT,@size INT,@search varchar(max)=null AS BEGIN
declare @totalrow int
DECLARE @offset INT
DECLARE @newsize INT
DECLARE @sql NVARCHAR(MAX)
IF(@page=0)
BEGIN
SET @offset = @page
SET @newsize = @size
END
IF(@page=1)
BEGIN
SET @offset = @page
SET @newsize = @size-1
END
ELSE
BEGIN
SET @page = @page - 1
SET @offset = @page*@size
SET @newsize = @size-1
END
SET NOCOUNT ON if(@search is null) begin SET @sql = '
WITH OrderedSet AS
(
SELECT *, ROW_NUMBER() OVER (ORDER BY EmpID) AS ''Index''
FROM tbl_employeeDetails
) SELECT * FROM OrderedSet WHERE [Index] BETWEEN ' + CONVERT(NVARCHAR(12), @offset) + ' AND ' + CONVERT(NVARCHAR(12), (@offset + @newsize)) end else begin SET @sql = '
WITH OrderedSet AS
(
SELECT *, ROW_NUMBER() OVER (ORDER BY EmpID) AS ''Index''
from tbl_employeeDetails e,tbl_EmpAdddress a where e.FirstName LIKE ''%''' + CONVERT(NVARCHAR(12), @search) + '''%'' and a.EmpID=e.EmpID
) SELECT * FROM OrderedSet WHERE [Index] BETWEEN ' + CONVERT(NVARCHAR(12), @offset) + ' AND ' + CONVERT(NVARCHAR(12), (@offset + @newsize)) end
EXECUTE (@sql) END
我发现一个错误,在“aaa”附近有不正确的语法。在您的搜索条件周围有两个额外的单引号
SET @sql = '
WITH OrderedSet AS
(
SELECT *, ROW_NUMBER() OVER (ORDER BY EmpID) AS ''Index''
from tbl_employeeDetails e,tbl_EmpAdddress a where e.FirstName LIKE ''%' + CONVERT(NVARCHAR(12), @search) + '%'' and a.EmpID=e.EmpID
)
SELECT * FROM OrderedSet WHERE [Index] BETWEEN ' + CONVERT(NVARCHAR(12), @offset) + ' AND ' + CONVERT(NVARCHAR(12), (@offset + @newsize))
使用sp_executesql并传入参数。代码如下所示:
@sql = '
WITH OrderedSet AS (
SELECT *, ROW_NUMBER() OVER (ORDER BY EmpID) AS ''Index''
FROM tbl_employeeDetails
)
SELECT *
FROM OrderedSet
WHERE [Index] BETWEEN @offset AND (@offset + @newsize)
';
sp_executesql @sql,
N'@offset int, @newsize int',
@offset=@ofset, @newsize=@newsize
如果在执行
之前添加PRINT(@SQL)
,您将看到动态SQL,并且很快(很可能)看到问题所在。另外,当您在查询中将@search
转换为varchar(12)
时,为什么@search
是一个varchar(MAX)
?这也是可以注入的,尽管由于所述的CONVERT
而受到限制。