Sql 存储过程给定错误
我正在尝试使用存储过程来显示表的结果。存储过程出现错误“过程需要参数”@parameters”,类型为“ntext/nchar/nvarchar”Sql 存储过程给定错误,sql,sql-server-2008,Sql,Sql Server 2008,我正在尝试使用存储过程来显示表的结果。存储过程出现错误“过程需要参数”@parameters”,类型为“ntext/nchar/nvarchar” 您需要将参数定义传递给sp_executesql,请参阅: 您希望使用sp_executesql以便不必连接变量的主要原因之一是,可以使用参数化查询防止sql注入攻击 连接参数只会破坏目的,并使查询容易受到sql注入的攻击。请参见下面的正确使用动态sql的安全方法 ALTER PROCEDURE COMNODE_PROC_SearchProduct
您需要将参数定义传递给sp_executesql,请参阅:
您希望使用sp_executesql以便不必连接变量的主要原因之一是,可以使用参数化查询防止sql注入攻击 连接参数只会破坏目的,并使查询容易受到sql注入的攻击。请参见下面的正确使用动态sql的安全方法
ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN',''
@PRODUCTID INT = NULL,
@PRODUCT_NAME VARCHAR(500) = NULL,
@PRODUCT_POINTS INT = NULL
AS
BEGIN
SET NOCOUNT ON;
Declare @SQLQuery AS NVarchar(MAX);
Declare @ParamDefinition AS NVarchar(MAX);
Set @ParamDefinition = N'@ID INT, @NAME VARCHAR(500), @POINTS INT';
-- A much cleaner way to write this would be...
Set @SQLQuery = N'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS
FROM TBL_REDEEM_PRODUCT
WHERE (1 = 1)'
+ CASE WHEN @PRODUCTID Is Not Null
THEN N' And PRODUCT_ID = @ID ' ELSE N' ' END
+ CASE WHEN @PRODUCT_NAME Is Not Null
THEN N' And PRODUCT_NAME = @NAME ' ELSE N' ' END
+ CASE WHEN @PRODUCT_POINTS Is Not Null
THEN N' And PRODUCT_REDEEM_POINTS = @POINTS' ELSE N' ' END
Execute sp_Executesql @SQLQuery
,@ParamDefinition --<-- this was missing
,@ID = @PRODUCTID
,@NAME = @PRODUCT_NAME
,@POINTS = @PRODUCT_POINTS;
END
很抱歉,这又是一次拼写错误检查,我在那里留了一个额外的括号。只需检查下面的参考链接
Execute sp_Executesql @SQLQuery,
@ParamDefinition,
@ID = @PRODUCTID ,
@NAME = @PRODUCT_NAME ,
@POINTS = @PRODUCT_POINTS;
ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN',''
@PRODUCTID INT = NULL,
@PRODUCT_NAME VARCHAR(500) = NULL,
@PRODUCT_POINTS INT = NULL
AS
BEGIN
SET NOCOUNT ON;
Declare @SQLQuery AS NVarchar(MAX);
Declare @ParamDefinition AS NVarchar(MAX);
Set @ParamDefinition = N'@ID INT, @NAME VARCHAR(500), @POINTS INT';
-- A much cleaner way to write this would be...
Set @SQLQuery = N'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS
FROM TBL_REDEEM_PRODUCT
WHERE (1 = 1)'
+ CASE WHEN @PRODUCTID Is Not Null
THEN N' And PRODUCT_ID = @ID ' ELSE N' ' END
+ CASE WHEN @PRODUCT_NAME Is Not Null
THEN N' And PRODUCT_NAME = @NAME ' ELSE N' ' END
+ CASE WHEN @PRODUCT_POINTS Is Not Null
THEN N' And PRODUCT_REDEEM_POINTS = @POINTS' ELSE N' ' END
Execute sp_Executesql @SQLQuery
,@ParamDefinition --<-- this was missing
,@ID = @PRODUCTID
,@NAME = @PRODUCT_NAME
,@POINTS = @PRODUCT_POINTS;
END