1. 首頁
  2. 問答
  3. SQL Server:如何在存儲過程中設置動態列名稱

SQL Server:如何在存儲過程中設置動態列名稱

2014-06-25 41 views
0

我對動態過程很新穎,希望這裏的某個人可以幫助我解決以下問題。SQL Server:如何在存儲過程中設置動態列名稱

這似乎是我的問題與我的Where子句的AND部分。我沒有在這裏得到一個錯誤 - 它只是沒有返回任何結果。

編輯:我的動態列名稱是「R. @ searchCategory」。

我到目前爲止的過程:

ALTER PROCEDURE [dbo].[FetchRequests] 
    @searchCategory nvarchar(100) = '', 
    @searchTerm nvarchar(256) = '' 
AS 
BEGIN 
    BEGIN 

    DECLARE @sql nvarchar(max) 
    SET @sql = 'SELECT TOP 100 
       R.logID, 
       R.flag, 
       R.reviewer, 
       R.modBy, 
       A.Email AS requesterEmail, 
       B.Email AS approverEmail, 
       L.locale AS region, 
       L.country AS countryName 
    FROM  LogRequests R 
    LEFT JOIN EmpTable A 
    ON   A.NTID = R.requester 
    LEFT JOIN EmpTable B 
    ON   B.NTID = R.approver 
    INNER JOIN Locales_Countries L 
    ON   R.country = L.isoCode 
    WHERE  (R.logStatus LIKE ''%Completed%'' OR R.logStatus LIKE ''%Closed%'') 
    AND   R.' + @searchCategory + ''' LIKE ''%' + @searchTerm + '%'' 
    ORDER BY R.dateNeeded desc, R.dateRec desc, R.prio desc, R.EID desc 
    FOR XML PATH(''requests''), ELEMENTS, TYPE, ROOT(''ranks'')' 

    EXEC(@sql) 

    END 
END

提前,邁克非常感謝。

來源

2014-06-25 Mike

+1

我很驚訝這個執行的話 - 你有一個額外的單引號,則@searchCategory,應該使該語句拋出一個語法異常之後。此外,你真的打開SQL注入攻擊與此... –

回答

2

您的AND語句太多的報價...

將此:

AND   R.' + @searchCategory + ''' LIKE ''%' + @searchTerm + '%''

像這樣:

AND   R.' + @searchCategory + ' LIKE ''%' + @searchTerm + '%''

結果:

DECLARE @sql nvarchar(max), @searchCategory nvarchar(max), @searchTerm nvarchar(max) 

set @searchCategory = 'something' 
set @searchTerm = 'to look for' 

    SET @sql = 'SELECT TOP 100 
       R.logID, 
       R.flag, 
       R.reviewer, 
       R.modBy, 
       A.Email AS requesterEmail, 
       B.Email AS approverEmail, 
       L.locale AS region, 
       L.country AS countryName 
    FROM  LogRequests R 
    LEFT JOIN EmpTable A 
    ON   A.NTID = R.requester 
    LEFT JOIN EmpTable B 
    ON   B.NTID = R.approver 
    INNER JOIN Locales_Countries L 
    ON   R.country = L.isoCode 
    WHERE  (R.logStatus LIKE ''%Completed%'' OR R.logStatus LIKE ''%Closed%'') 
    AND   R.' + @searchCategory + ' LIKE ''%' + @searchTerm + '%'' 
    ORDER BY R.dateNeeded desc, R.dateRec desc, R.prio desc, R.EID desc 
    FOR XML PATH(''requests''), ELEMENTS, TYPE, ROOT(''ranks'')' 

    print @sql

我總是打印我的動態SQL ...和將輸出複製到新窗口,查看是否有任何內容不應該被轉義。

注意:請研究SQL注入攻擊,並使用sp_executeSQL - EXEC是不好的做法。

來源

2014-06-25 18:29:48 JiggsJedi

+0

修復它 - 真棒!非常感謝 - 沒想到它會那麼簡單。 :)我會盡快接受。 – Mike

1

當我發佈時,已經有了另一個正確答案:你在@sql定義中添加了太多的單引號。

捕獲這些簡單錯誤的一種方法是添加print @sql,這樣您就可以在嘗試執行查詢之前看到查詢是如何讀取的。我把它下面的修改後的腳本:

ALTER PROCEDURE [dbo].[FetchRequests] 
    @searchCategory nvarchar(100) = '', 
    @searchTerm nvarchar(256) = '' 
AS 
BEGIN 
    BEGIN 

    DECLARE @sql nvarchar(max) 
    SET @sql = 'SELECT TOP 100 
       R.logID, 
       R.flag, 
       R.reviewer, 
       R.modBy, 
       A.Email AS requesterEmail, 
       B.Email AS approverEmail, 
       L.locale AS region, 
       L.country AS countryName 
    FROM  LogRequests R 
    LEFT JOIN EmpTable A 
    ON   A.NTID = R.requester 
    LEFT JOIN EmpTable B 
    ON   B.NTID = R.approver 
    INNER JOIN Locales_Countries L 
    ON   R.country = L.isoCode 
    WHERE  (R.logStatus LIKE ''%Completed%'' OR R.logStatus LIKE ''%Closed%'') 
    AND   R.' + @searchCategory + ' LIKE ''%'' + @searchTerm + ''%'' 
    ORDER BY R.dateNeeded desc, R.dateRec desc, R.prio desc, R.EID desc 
    FOR XML PATH(''requests''), ELEMENTS, TYPE, ROOT(''ranks'')' 

    --print @sql 
    EXEC(@sql) 

    END 
END

來源

2014-06-25 18:31:51

相關問題

 相關問題