使用表单中的字符串作为存储过程中的参数(SQL 服务器)
Use string from form as parameter in stored procedure (SQL Server)
我一直在尝试按照这个问题 () and this one (Dynamic sql stored procedure update query issue?) 中的示例来使它正常工作,但目前还没有任何乐趣。我一直在尝试更复杂的 SQL 查询(仍在学习中),并且希望在这个问题上有一些 advice/guidance。
我正在尝试从网页 (PHP) 上提交的表单中获取一个字符串,以进入存储过程中更新查询的 where 子句。最终目标是将所有提供的参考编号更改为 statusrefno 4(这会将它们标记为已关闭的租赁产品)
这是完整的存储过程
ALTER PROCEDURE [dbo].[TestingPPMRemovals]
@EditedBy varchar (25),
@PPMsList varchar (max)
AS
BEGIN
SET NOCOUNT ON;
CREATE table #tempPPMs (PPMs varchar(max))
INSERT INTO #tempPPMs (PPMs) VALUES (@PPMsList)
INSERT INTO PPMsEdit_AuditTrail (EditedBy, EditDate, PPMsEdited)
VALUES (@EditedBy, getdate(), @PPMsList)
UPDATE jobs
SET StatusRefNo = 4, EditUserRefNo = 1114
WHERE WebReference IN (SELECT * FROM #tempPPMs)
END
这些 Web 引用的列表在查询中看起来像这样
UPDATE jobs
SET StatusRefNo = 4, EditUserRefNo = 1114
WHERE WebReference IN ('PPM-372046', 'PPM-372053', 'PPM-372072', 'PPM-372076', 'PPM-372077', 'PPM-372078')
我知道 'IN' 与存储过程不兼容,虽然 SQL 注入的风险非常低,因为该网页只能在本地访问,但我想否定这一点尽可能冒险。
我尝试执行此查询的替代方法也不起作用,这里是 -
INSERT INTO PPMsEdit_AuditTrail (EditedBy, EditDate, PPMsEdited)
VALUES (@EditedBy, getdate(), @PPMsList)
UPDATE jobs
SET StatusRefNo = 4, EditUserRefNo = 1114
WHERE WebReference IN (
SELECT Top 1 PPMsEdited
FROM PPMsEdit_AuditTrail
ORDER BY EditDate desc
)
这是我的 PHP 中的相关部分,以备上下文需要 -
$sqlsrv = sqlsrv_connect($serverName, $connectionInfo) or die(sqlsrv_error($sqlsrv));
$update = false;
$EditedBy = '';
$PPMsList = '';
$tsql = 'exec TestingPPMRemovals ?, ?';
if (isset($_POST['update'])){
$PPMsList = $_POST['PPMsList'];
$EditedBy = $_POST['EditedBy'];
$params = array($PPMsList, $EditedBy);
$result = sqlsrv_query($conn, $tsql, $params);
if ($result === false) {
die( print_r( sqlsrv_errors(), true) );
$response = array('response'=>'notok', 'data'=>'loyo');
$serverresponse = json_encode($response);
} else {
$row = sqlsrv_fetch_array( $result, SQLSRV_FETCH_NUMERIC);
$response = array('response'=>'ok', 'data'=>$row[0]);
$serverresponse = json_encode($response);
}
sqlsrv_free_stmt($result);
} else {
$response = array('response'=>'notok', 'flag'=>$flag, 'data'=>'cc');
$serverresponse = json_encode($response);
}
echo ($serverresponse);
$_SESSION['message'] = "This information has been succesfully updated";
$_SESSION['msg_returndate'] = "info";
header("location: ../success.php");
我的 PHP 代码基于 Dani Krossing 的 PHP Youtube 教程 (https://www.youtube.com/watch?v=5wGDu-aigZs&list=PL0eyrZgxdwhwBToawjm9faF1ixePexft-&index=33)
任何帮助我完成这项工作的建议或资源都会很棒。我花了很多时间寻找另一个 post 有帮助但没有找到。
谢谢
I am trying to take a string from a form submitted on a webpage (PHP) to go into a where clause for an update query in a stored procedure.
为此,您需要一个拆分器(也称为分词器)。如果您使用的是 SQL 2016+,则您有 STRING_SPLIT. For earlier versions you can grab this。使用 @WebReferenceNumbers 作为“提交的字符串”,您的 SQL 将如下所示:
DECLARE @WebReferenceNumbers VARCHAR(8000) =
'PPM-372046,PPM-372053,PPM-372072,PPM-372076,PPM-372077,PPM-372078'
-- SELECT | UPDATE | WHATEVER WHERE... IN
SELECT s.[value]
FROM STRING_SPLIT(@WebReferenceNumbers,',') AS s;
可能需要根据字符串的外观进行一些清理,例如空格修剪,但这是一项简单的任务。
我一直在尝试按照这个问题 (
我正在尝试从网页 (PHP) 上提交的表单中获取一个字符串,以进入存储过程中更新查询的 where 子句。最终目标是将所有提供的参考编号更改为 statusrefno 4(这会将它们标记为已关闭的租赁产品)
这是完整的存储过程
ALTER PROCEDURE [dbo].[TestingPPMRemovals]
@EditedBy varchar (25),
@PPMsList varchar (max)
AS
BEGIN
SET NOCOUNT ON;
CREATE table #tempPPMs (PPMs varchar(max))
INSERT INTO #tempPPMs (PPMs) VALUES (@PPMsList)
INSERT INTO PPMsEdit_AuditTrail (EditedBy, EditDate, PPMsEdited)
VALUES (@EditedBy, getdate(), @PPMsList)
UPDATE jobs
SET StatusRefNo = 4, EditUserRefNo = 1114
WHERE WebReference IN (SELECT * FROM #tempPPMs)
END
这些 Web 引用的列表在查询中看起来像这样
UPDATE jobs
SET StatusRefNo = 4, EditUserRefNo = 1114
WHERE WebReference IN ('PPM-372046', 'PPM-372053', 'PPM-372072', 'PPM-372076', 'PPM-372077', 'PPM-372078')
我知道 'IN' 与存储过程不兼容,虽然 SQL 注入的风险非常低,因为该网页只能在本地访问,但我想否定这一点尽可能冒险。
我尝试执行此查询的替代方法也不起作用,这里是 -
INSERT INTO PPMsEdit_AuditTrail (EditedBy, EditDate, PPMsEdited)
VALUES (@EditedBy, getdate(), @PPMsList)
UPDATE jobs
SET StatusRefNo = 4, EditUserRefNo = 1114
WHERE WebReference IN (
SELECT Top 1 PPMsEdited
FROM PPMsEdit_AuditTrail
ORDER BY EditDate desc
)
这是我的 PHP 中的相关部分,以备上下文需要 -
$sqlsrv = sqlsrv_connect($serverName, $connectionInfo) or die(sqlsrv_error($sqlsrv));
$update = false;
$EditedBy = '';
$PPMsList = '';
$tsql = 'exec TestingPPMRemovals ?, ?';
if (isset($_POST['update'])){
$PPMsList = $_POST['PPMsList'];
$EditedBy = $_POST['EditedBy'];
$params = array($PPMsList, $EditedBy);
$result = sqlsrv_query($conn, $tsql, $params);
if ($result === false) {
die( print_r( sqlsrv_errors(), true) );
$response = array('response'=>'notok', 'data'=>'loyo');
$serverresponse = json_encode($response);
} else {
$row = sqlsrv_fetch_array( $result, SQLSRV_FETCH_NUMERIC);
$response = array('response'=>'ok', 'data'=>$row[0]);
$serverresponse = json_encode($response);
}
sqlsrv_free_stmt($result);
} else {
$response = array('response'=>'notok', 'flag'=>$flag, 'data'=>'cc');
$serverresponse = json_encode($response);
}
echo ($serverresponse);
$_SESSION['message'] = "This information has been succesfully updated";
$_SESSION['msg_returndate'] = "info";
header("location: ../success.php");
我的 PHP 代码基于 Dani Krossing 的 PHP Youtube 教程 (https://www.youtube.com/watch?v=5wGDu-aigZs&list=PL0eyrZgxdwhwBToawjm9faF1ixePexft-&index=33)
任何帮助我完成这项工作的建议或资源都会很棒。我花了很多时间寻找另一个 post 有帮助但没有找到。
谢谢
I am trying to take a string from a form submitted on a webpage (PHP) to go into a where clause for an update query in a stored procedure.
为此,您需要一个拆分器(也称为分词器)。如果您使用的是 SQL 2016+,则您有 STRING_SPLIT. For earlier versions you can grab this。使用 @WebReferenceNumbers 作为“提交的字符串”,您的 SQL 将如下所示:
DECLARE @WebReferenceNumbers VARCHAR(8000) =
'PPM-372046,PPM-372053,PPM-372072,PPM-372076,PPM-372077,PPM-372078'
-- SELECT | UPDATE | WHATEVER WHERE... IN
SELECT s.[value]
FROM STRING_SPLIT(@WebReferenceNumbers,',') AS s;
可能需要根据字符串的外观进行一些清理,例如空格修剪,但这是一项简单的任务。