Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/sql-server-2008/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Sql 存储过程给定错误_Sql_Sql Server 2008 - Fatal编程技术网
Fatal编程技术网
  • sql/
  • Sql 存储过程给定错误

Sql 存储过程给定错误

sql sql-server-2008

Sql 存储过程给定错误,sql,sql-server-2008,Sql,Sql Server 2008,我正在尝试使用存储过程来显示表的结果。存储过程出现错误“过程需要参数”@parameters”,类型为“ntext/nchar/nvarchar” 您需要将参数定义传递给sp_executesql,请参阅: 您希望使用sp_executesql以便不必连接变量的主要原因之一是,可以使用参数化查询防止sql注入攻击 连接参数只会破坏目的,并使查询容易受到sql注入的攻击。请参见下面的正确使用动态sql的安全方法 ALTER PROCEDURE COMNODE_PROC_SearchProduct

我正在尝试使用存储过程来显示表的结果。存储过程出现错误“过程需要参数”@parameters”,类型为“ntext/nchar/nvarchar”

您需要将参数定义传递给sp_executesql,请参阅:

您希望使用sp_executesql以便不必连接变量的主要原因之一是,可以使用参数化查询防止sql注入攻击

连接参数只会破坏目的,并使查询容易受到sql注入的攻击。请参见下面的正确使用动态sql的安全方法

ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN',''

    @PRODUCTID      INT          = NULL,
    @PRODUCT_NAME   VARCHAR(500) = NULL,
    @PRODUCT_POINTS INT          = NULL  

AS
BEGIN

SET NOCOUNT ON;
   Declare @SQLQuery AS NVarchar(MAX);
   Declare @ParamDefinition AS NVarchar(MAX);

    Set @ParamDefinition = N'@ID INT, @NAME VARCHAR(500), @POINTS INT';

    -- A much cleaner way to write this would be...

   Set @SQLQuery = N'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS 
                     FROM TBL_REDEEM_PRODUCT 
                      WHERE  (1 = 1)'
                 + CASE WHEN @PRODUCTID Is Not Null 
                   THEN N' And PRODUCT_ID = @ID ' ELSE N' ' END     
                 + CASE WHEN @PRODUCT_NAME Is Not Null 
                   THEN N' And PRODUCT_NAME = @NAME ' ELSE N' ' END     
                 + CASE WHEN @PRODUCT_POINTS Is Not Null 
                   THEN N' And PRODUCT_REDEEM_POINTS = @POINTS' ELSE N' ' END     



  Execute sp_Executesql  @SQLQuery
                        ,@ParamDefinition   --<-- this was missing 
                        ,@ID = @PRODUCTID 
                        ,@NAME = @PRODUCT_NAME 
                        ,@POINTS = @PRODUCT_POINTS;

END
很抱歉,这又是一次拼写错误检查,我在那里留了一个额外的括号。只需检查下面的参考链接 
Execute sp_Executesql     @SQLQuery, 
        @ParamDefinition,
        @ID = @PRODUCTID , 
        @NAME = @PRODUCT_NAME , 
        @POINTS = @PRODUCT_POINTS;

ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN',''

    @PRODUCTID      INT          = NULL,
    @PRODUCT_NAME   VARCHAR(500) = NULL,
    @PRODUCT_POINTS INT          = NULL  

AS
BEGIN

SET NOCOUNT ON;
   Declare @SQLQuery AS NVarchar(MAX);
   Declare @ParamDefinition AS NVarchar(MAX);

    Set @ParamDefinition = N'@ID INT, @NAME VARCHAR(500), @POINTS INT';

    -- A much cleaner way to write this would be...

   Set @SQLQuery = N'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS 
                     FROM TBL_REDEEM_PRODUCT 
                      WHERE  (1 = 1)'
                 + CASE WHEN @PRODUCTID Is Not Null 
                   THEN N' And PRODUCT_ID = @ID ' ELSE N' ' END     
                 + CASE WHEN @PRODUCT_NAME Is Not Null 
                   THEN N' And PRODUCT_NAME = @NAME ' ELSE N' ' END     
                 + CASE WHEN @PRODUCT_POINTS Is Not Null 
                   THEN N' And PRODUCT_REDEEM_POINTS = @POINTS' ELSE N' ' END     



  Execute sp_Executesql  @SQLQuery
                        ,@ParamDefinition   --<-- this was missing 
                        ,@ID = @PRODUCTID 
                        ,@NAME = @PRODUCT_NAME 
                        ,@POINTS = @PRODUCT_POINTS;

END