在Microsoft SQL Server 2005,經典的ASP代碼,我把使用這個SQL查詢:在SQL Server中不工作Select語句
selectHireResponseSQL = "
SELECT HireResponseID, HireResponse, DateResponse, Comments, YearFileOpened
, file_number, isCaseOpen, last_update, isConfidential, date_created
, OurClient, TheirClient, ProjectName, DESCRIPTION, lawyer_lastname
, lawyer_firstname, Conflicts.ConflictID
FROM Hire_Response
, Conflicts
, Lawyers
WHERE Hire_Response.ConflictID = Conflicts.ConflictID
AND Lawyers.lawyerID = Conflicts.lawyerID
AND firmID IN (" & FirmIDString & ")
AND HireID = " & HireID & "
AND isStillaConflict = 1
ORDER BY
file_number
, TheirClient
, OurClient
, lawyer_lastname
, lawyer_firstname
"
上面沒有一個存儲過程。 另外,FirmIDString
變量是一個逗號分隔的數字列表,如'1,2,3'
。
的字符串被格式化後的一個例子是:
select HireResponseID, HireResponse, DateResponse, Comments, YearFileOpened, file_number, isCaseOpen, last_update, isConfidential, date_created, OurClient, TheirClient, ProjectName, description, lawyer_lastname, lawyer_firstname, Conflicts.ConflictID
from Hire_Response, Conflicts, Lawyers
WHERE Hire_Response.ConflictID=Conflicts.ConflictID AND Lawyers.lawyerID=Conflicts.lawyerID AND firmID IN (47,140,138,137,139) AND HireID = 594 AND isStillaConflict = 1
ORDER BY file_number, TheirClient, OurClient, lawyer_lastname, lawyer_firstname
現在我想變成一個存儲過程。所以我改變了ASP經典代碼
selectHireResponseSQL = "
EXEC ps_selectHireResponseSQL '" & FirmIDString & "'," & HireID
,並且存儲過程是:
SELECT HireResponseID, HireResponse, DateResponse, Comments, YearFileOpened
, file_number, isCaseOpen, last_update, isConfidential, date_created
, OurClient, TheirClient, ProjectName, DESCRIPTION, lawyer_lastname
, lawyer_firstname, Conflicts.ConflictID
FROM Hire_Response
, Conflicts
, Lawyers
WHERE Hire_Response.ConflictID = Conflicts.ConflictID
AND Lawyers.lawyerID = Conflicts.lawyerID
AND CHARINDEX(',' + CAST(firmID AS NVARCHAR) + ',',','[email protected] + ',') >0
AND HireID = @HireID
AND isStillaConflict = 1
ORDER BY
file_number
, TheirClient
, OurClient
, lawyer_lastname
, lawyer_firstname
但現在我沒有得到根本的任何記錄(代碼似乎沒有錯誤雖然運行)。我知道我應該得到記錄,因爲如果我切換到非存儲過程,我會得到記錄。
有人知道這裏有什麼問題嗎?
此代碼易受sql注入攻擊。你實際上乞求被黑客入侵。 –
你讀過這個:http://www.sommarskog.se/dynamic_sql.html#List – Meff