存儲過程給出的錯誤

我正在嘗試使用存儲過程來顯示錶的結果。存儲過程是給錯誤'Procedure expects parameter '@parameters' of type 'ntext/nchar/nvarchar'存儲過程給出的錯誤

ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN','' 

    @PRODUCTID INT = NULL, 
    @PRODUCT_NAME VARCHAR(500) = NULL, 
    @PRODUCT_POINTS INT = NULL 

AS 
BEGIN 

SET NOCOUNT ON; 
    Declare @SQLQuery AS NVarchar(MAX) 
    Declare @ParamDefinition AS NVarchar(MAX) 
    Set @ParamDefinition = '@ID INT, 
    @NAME VARCHAR(500), 
    @POINTS INT' 

    Set @SQLQuery = 'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS FROM TBL_REDEEM_PRODUCT WHERE (1 = 1)'; 

    If @PRODUCTID Is Not Null 
    Set @SQLQuery = @SQLQuery + ' And (PRODUCT_ID ='+CAST(@PRODUCTID AS VARCHAR(500))  

    If @PRODUCT_NAME Is Not Null 
    Set @SQLQuery = @SQLQuery + ' And (PRODUCT_NAME =' + CAST(@PRODUCT_NAME AS VARCHAR(500))  

    If @PRODUCT_POINTS Is Not Null 
    Set @SQLQuery = @SQLQuery + ' And (PRODUCT_REDEEM_POINTS ='+ CAST(@PRODUCT_POINTS AS VARCHAR(500)) 



    Execute sp_Executesql  @SQLQuery, 
      @ID = @PRODUCTID , 
      @NAME = @PRODUCT_NAME , 
      @POINTS = @PRODUCT_POINTS; 

END

來源

2015-02-05 SANDEEP

只需檢查下面的參考文獻。鏈接https://stackoverflow.com/questions/6904451/how-to-fix-the-error-procedure-expects-parameter-parameters-of-type-ntext-nc – 2017-08-22 08:47:53

您需要在參數定義傳遞給sp_executesql，請參閱：https://msdn.microsoft.com/en-us/library/ms188001.aspx

Execute sp_Executesql  @SQLQuery, 
     @ParamDefinition, 
     @ID = @PRODUCTID , 
     @NAME = @PRODUCT_NAME , 
     @POINTS = @PRODUCT_POINTS;

來源

2015-02-05 16:06:15 error

其中一個主要的原因，你會想sp_executesql的使用，因此不必須連接變量，是否可以使用參數化查詢防止SQL注入攻擊。

您連接參數只是殺死目的，並使您的查詢易受SQL注入。請看下面正確使用動態sql的安全方法。

ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN','' 

    @PRODUCTID  INT   = NULL, 
    @PRODUCT_NAME VARCHAR(500) = NULL, 
    @PRODUCT_POINTS INT   = NULL 

AS 
BEGIN 

SET NOCOUNT ON; 
    Declare @SQLQuery AS NVarchar(MAX); 
    Declare @ParamDefinition AS NVarchar(MAX); 

    Set @ParamDefinition = N'@ID INT, @NAME VARCHAR(500), @POINTS INT'; 

    -- A much cleaner way to write this would be... 

    Set @SQLQuery = N'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS 
        FROM TBL_REDEEM_PRODUCT 
         WHERE (1 = 1)' 
       + CASE WHEN @PRODUCTID Is Not Null 
        THEN N' And PRODUCT_ID = @ID ' ELSE N' ' END  
       + CASE WHEN @PRODUCT_NAME Is Not Null 
        THEN N' And PRODUCT_NAME = @NAME ' ELSE N' ' END  
       + CASE WHEN @PRODUCT_POINTS Is Not Null 
        THEN N' And PRODUCT_REDEEM_POINTS = @POINTS' ELSE N' ' END  



    Execute sp_Executesql @SQLQuery 
         ,@ParamDefinition --<-- this was missing 
         ,@ID = @PRODUCTID 
         ,@NAME = @PRODUCT_NAME 
         ,@POINTS = @PRODUCT_POINTS; 

END

來源

2015-02-05 16:07:13

對不起，這是一個錯字檢查再次，我離開了一個那裏有額外的支架。 – 2015-02-05 16:20:46

謝謝......我知道了...... – SANDEEP 2015-02-05 16:21:09

存儲過程給出的錯誤

回答

相關問題