Jon*_* C. 7 mysql stored-procedures
我试图用参数创建一个简单的过程.
CALL new_procedure('mode', 'ASC');
第一个输入是列,第二个输入是排序方向
DELIMITER $$
CREATE DEFINER=`root`@`localhost` PROCEDURE `new_procedure`(IN in_order_by_column varchar(20), in_order_by_direction char(4))
BEGIN
DECLARE order_by varchar(30);
SET @order_by = CONCAT('`', in_order_by_column, '` ', in_order_by_direction);
/*
SELECT * FROM `common_tags` ORDER BY @order_by LIMIT 5;
*/
SELECT @order_by as 'c';
END
在上面的例子中,我只输出了2个参数,这样我就可以看到发生了什么.
结果:
"c"
`mode` ASC
.
当我使用它的预期代码运行该程序时,如下所示.
DELIMITER $$
CREATE DEFINER=`root`@`localhost` PROCEDURE `new_procedure`(IN in_order_by_column varchar(20), in_order_by_direction char(4))
BEGIN
DECLARE order_by varchar(30);
SET @order_by = CONCAT('`', in_order_by_column, '` ', in_order_by_direction);
SELECT * FROM `common_tags` ORDER BY @order_by LIMIT 5;
END
结果
tags_id data mode parent_id position
1 Wood 2 13 6
2 Trippy 0 0 0
4 Artists 1 0 1
6 "Newest Additions" 1 0 11
12 "Natural Elements" 2 5 8
如您所见,结果未按类别排序mode.
任何帮助表示赞赏.
Bli*_*itZ 10
不幸的是,PREPARE在这种情况下你需要整个查询:
DELIMITER $$
DROP PROCEDURE IF EXISTS `new_procedure`$$
CREATE PROCEDURE `new_procedure`(IN in_order_by_column varchar(20), in_order_by_direction char(4))
BEGIN
SET @buffer = CONCAT_WS('',
'SELECT * FROM `common_tags` ORDER BY `', in_order_by_column, '` ', in_order_by_direction, ' LIMIT 5'
);
PREPARE stmt FROM @buffer;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END$$
DELIMITER ;
注意:应该非常小心地使用所描述的方法,因为如果使用不正确,它对SQL注入攻击是难以理解的.