1. 首頁
  2. 問答
  3. 在SQL Server中不工作Select語句

在SQL Server中不工作Select語句

2013-05-29 85 views
0

在Microsoft SQL Server 2005,經典的ASP代碼,我把使用這個SQL查詢:在SQL Server中不工作Select語句

selectHireResponseSQL = " 
    SELECT HireResponseID, HireResponse, DateResponse, Comments, YearFileOpened 
     , file_number, isCaseOpen, last_update, isConfidential, date_created 
     , OurClient, TheirClient, ProjectName, DESCRIPTION, lawyer_lastname 
     , lawyer_firstname, Conflicts.ConflictID 
    FROM Hire_Response 
     , Conflicts 
     , Lawyers 
WHERE Hire_Response.ConflictID = Conflicts.ConflictID 
    AND Lawyers.lawyerID = Conflicts.lawyerID 
    AND firmID IN (" & FirmIDString & ") 
    AND HireID = " & HireID & " 
    AND isStillaConflict = 1 
ORDER BY 
     file_number 
     , TheirClient 
     , OurClient 
     , lawyer_lastname 
     , lawyer_firstname 
"

上面沒有一個存儲過程。 另外,FirmIDString變量是一個逗號分隔的數字列表,如'1,2,3'

的字符串被格式化後的一個例子是:

select HireResponseID, HireResponse, DateResponse, Comments, YearFileOpened, file_number, isCaseOpen, last_update, isConfidential, date_created, OurClient, TheirClient, ProjectName, description, lawyer_lastname, lawyer_firstname, Conflicts.ConflictID 
from Hire_Response, Conflicts, Lawyers 
WHERE Hire_Response.ConflictID=Conflicts.ConflictID AND Lawyers.lawyerID=Conflicts.lawyerID AND firmID IN (47,140,138,137,139) AND HireID = 594 AND isStillaConflict = 1 
ORDER BY file_number, TheirClient, OurClient, lawyer_lastname, lawyer_firstname

現在我想變成一個存儲過程。所以我改變了ASP經典代碼

selectHireResponseSQL = " 
       EXEC ps_selectHireResponseSQL '" & FirmIDString & "'," & HireID

,並且存儲過程是:

SELECT HireResponseID, HireResponse, DateResponse, Comments, YearFileOpened 
     , file_number, isCaseOpen, last_update, isConfidential, date_created 
     , OurClient, TheirClient, ProjectName, DESCRIPTION, lawyer_lastname 
     , lawyer_firstname, Conflicts.ConflictID 
    FROM Hire_Response 
     , Conflicts 
     , Lawyers 
WHERE Hire_Response.ConflictID = Conflicts.ConflictID 
    AND Lawyers.lawyerID = Conflicts.lawyerID 
    AND CHARINDEX(',' + CAST(firmID AS NVARCHAR) + ',',','[email protected] + ',') >0 
    AND HireID = @HireID 
    AND isStillaConflict = 1 
ORDER BY 
     file_number 
     , TheirClient 
     , OurClient 
     , lawyer_lastname 
     , lawyer_firstname

但現在我沒有得到根本的任何記錄(代碼似乎沒有錯誤雖然運行)。我知道我應該得到記錄,因爲如果我切換到非存儲過程,我會得到記錄。

有人知道這裏有什麼問題嗎?

來源

2013-05-29 omega

+2

此代碼易受sql注入攻擊。你實際上乞求被黑客入侵。 –

+0

你讀過這個:http://www.sommarskog.se/dynamic_sql.html#List – Meff

回答

3

這是你查詢的改進重寫(這僅修復了別名,在加入和nvarchar沒有大小):

select HireResponseID, HireResponse, DateResponse, Comments, YearFileOpened, file_number, 
     isCaseOpen, last_update, isConfidential, date_created, OurClient, TheirClient, 
     ProjectName, description, lawyer_lastname, lawyer_firstname, Conflicts.ConflictID 
from Conflics c join 
    Hire_Response hr 
    on hr.ConflictID=c.ConflictID join 
    Lawyers l 
    on l.lawyerID=c.lawyerID 
WHERE CHARINDEX(',' + CAST(firmID as varchar(30)) + ',', ',' + @FirmIDString + ',') > 0 
    AND HireID = @HireID 
    AND isStillaConflict = 1 
ORDER BY file_number, TheirClient, OurClient, lawyer_lastname, lawyer_firstname;

這不會解決你的問題。如果在格式化後打印出工作版本,這將有所幫助。

我最好的猜測是@ FirmIDString`在ID之間有逗號和空格。如果是這樣,那麼這應該工作:

WHERE CHARINDEX(', ' + CAST(firmID as varchar(30)) + ', ', ', ' + @FirmIDString + ', ') > 0

來源

2013-05-29 13:45:29

+0

我做了一個response.write正在做的查詢(非存儲過程),它是'EXEC ps_selectHireResponseSQL'76',659 ',所以即使有1個數字,它仍然不起作用...當它們有多個數字時,它將被格式化爲'EXEC ps_selectHireResponseSQL'47,140,​​138,137,139',594' – omega

+0

@omega。 。 。你確定原始查詢在這種情況下返回行嗎?如果是這樣,你可以用打印出來的查詢來編輯你的問題嗎? –

+0

@omega。 。 。我有個主意。當您將@FirmId聲明爲存儲過程的參數時,是否使用'varchar'或'varchar()'?如果你沒有長度,那麼它默認爲1,並且所有內容都被截斷。 –

相關問題

 相關問題