动态 SQL 无法更改 SQL 服务器中的变量列名称
Dynamic SQL not working for changing variable column name in SQL Server
我想编写一个存储过程,用于在 table 中更新所有者姓名、备份联系人、其他联系人等的 ID。这些 ID 将从其他 table 获取。我不想为所有这些联系信息编写不同的存储过程,而是想编写一个动态 SQL,我可以在其中将列名作为变量名传递。
我的存储过程如下所示:
CREATE PROCEDURE spUpdateUser
(@recordid [NVARCHAR](50),
@id [NVARCHAR](10),
@user [NVARCHAR](50))
AS
BEGIN
DECLARE @sql NVARCHAR(MAX);
SET NOCOUNT ON;
SET @sql = N'UPDATE [dbo].[table1]
SET'+ QUOTENAME(@user) + ' = (SELECT [dbo].[table2].User
FROM [dbo].[table2]
WHERE [dbo].[table2].id = ' + QUOTENAME(@id) + ')
WHERE record = ' + QUOTENAME(@recordid)
EXEC sp_executesql @sql;
END;
GO
执行查询后,它运行没有错误,但用户在 table1 中没有更改。
程序中缺少什么?
不要注入你的参数,对它们进行参数化:
CREATE PROCEDURE spUpdateUser
-- Add the parameters for the stored procedure here
( @recordid [nvarchar](50), --Are your IDs really an nvarchar?
@id [nvarchar](10), --Are your IDs really an nvarchar?
@user sysname --As this is an object, lets use the correct datatype
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
DECLARE @sql NVARCHAR(MAX),
@CRLF nchar(2) = NCHAR(13) + NCHAR(10);
SET NOCOUNT ON;
-- Insert statements for procedure here
SET @sql= N'UPDATE [dbo].[table1]' + @CRLF +
N'SET ' + QUOTENAME(@user) + N' = (SELECT [table2].User' + @CRLF + --3 part naming for columns is deprecated, don't use it
N' FROM [dbo].[table2]' + @CRLF +
N' WHERE [table2].id= @id)' + @CRLF + --3 part naming for columns is deprecated, don't use it
N'WHERE record = @recordid;';
--PRINT @SQL; --Your Best Friend
EXEC sp_executesql @sql, N'@id nvarchar(10), @recordid nvarchar(50)', @id, @recordid; --Assumes that IDs are an nvarchar again
END;
GO
请注意,我在其中留下了一些评论供您使用和查看。
我想编写一个存储过程,用于在 table 中更新所有者姓名、备份联系人、其他联系人等的 ID。这些 ID 将从其他 table 获取。我不想为所有这些联系信息编写不同的存储过程,而是想编写一个动态 SQL,我可以在其中将列名作为变量名传递。
我的存储过程如下所示:
CREATE PROCEDURE spUpdateUser
(@recordid [NVARCHAR](50),
@id [NVARCHAR](10),
@user [NVARCHAR](50))
AS
BEGIN
DECLARE @sql NVARCHAR(MAX);
SET NOCOUNT ON;
SET @sql = N'UPDATE [dbo].[table1]
SET'+ QUOTENAME(@user) + ' = (SELECT [dbo].[table2].User
FROM [dbo].[table2]
WHERE [dbo].[table2].id = ' + QUOTENAME(@id) + ')
WHERE record = ' + QUOTENAME(@recordid)
EXEC sp_executesql @sql;
END;
GO
执行查询后,它运行没有错误,但用户在 table1 中没有更改。
程序中缺少什么?
不要注入你的参数,对它们进行参数化:
CREATE PROCEDURE spUpdateUser
-- Add the parameters for the stored procedure here
( @recordid [nvarchar](50), --Are your IDs really an nvarchar?
@id [nvarchar](10), --Are your IDs really an nvarchar?
@user sysname --As this is an object, lets use the correct datatype
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
DECLARE @sql NVARCHAR(MAX),
@CRLF nchar(2) = NCHAR(13) + NCHAR(10);
SET NOCOUNT ON;
-- Insert statements for procedure here
SET @sql= N'UPDATE [dbo].[table1]' + @CRLF +
N'SET ' + QUOTENAME(@user) + N' = (SELECT [table2].User' + @CRLF + --3 part naming for columns is deprecated, don't use it
N' FROM [dbo].[table2]' + @CRLF +
N' WHERE [table2].id= @id)' + @CRLF + --3 part naming for columns is deprecated, don't use it
N'WHERE record = @recordid;';
--PRINT @SQL; --Your Best Friend
EXEC sp_executesql @sql, N'@id nvarchar(10), @recordid nvarchar(50)', @id, @recordid; --Assumes that IDs are an nvarchar again
END;
GO
请注意,我在其中留下了一些评论供您使用和查看。