Aqi*_*qib 9 sql t-sql sql-server stored-procedures dynamic-sql
--sp_executesql version
--SET @SQLQUERY = 'UPDATE @TableName SET Brief = @Brief,
-- [Full] = @Full,
-- CreatedBy = @CreatedBy,
-- Department = @Department,
-- Answer = @Answer WHERE Id=@Id';
--SET @ParamDefinition=N'@TableName nvarchar(50),@Brief nvarchar(50),@Full nvarchar(MAX),@CreatedBy varchar(256),@Department varchar(256),@Answer nvarchar(MAX),@Id int'
-- exec sp_executesql @SQLQUERY,@ParamDefinition,@TableName,@Brief,@Full,@CreatedBy,@Department,@Answer,@Id;
-- exec version
SET @SQLQUERY = 'UPDATE ' + @TableName + ' SET
Brief ='+ @Brief+',
[Full] ='+ @Full+',
CreatedBy ='+ @CreatedBy+',
Department ='+ @Department+',
Answer ='+@Answer+' WHERE Id='+CAST(@Id as nvarchar(10))
print @SQLQUERY;
EXEC (@SQLQUERY)
我已经使用了两个EXEC和sp_executesql过程来执行我的动态查询,但两者都失败了.
如果EXEC动态查询未设置为@SQLQUERY变量(在调试后看到),如果 sp_executesql我在更新数据库时出现标量变量错误,并且我已经将所有内容传递给它.
案例很简单.您无法在UPDATE语句中参数化表/列名称:
SET @SQLQUERY = 'UPDATE @TableName --here is problem
SET Brief = @Brief,
[Full] = @Full,
CreatedBy = @CreatedBy,
Department = @Department,
Answer = @Answer
WHERE Id=@Id';
SET @ParamDefinition=N'@TableName nvarchar(50),@Brief nvarchar(50),
@Full nvarchar(MAX), @CreatedBy varchar(256),
@Department varchar(256),@Answer nvarchar(MAX),@Id int'
EXEC dbo.sp_executesql @SQLQUERY,@ParamDefinition,
@TableName,@Brief,@Full,
@CreatedBy,@Department,@Answer,@Id;
改为使用替代:
SET @SQLQUERY = N'UPDATE <tab_name>
SET Brief = @Brief,
[Full] = @Full,
CreatedBy = @CreatedBy,
Department = @Department,
Answer = @Answer
WHERE Id = @Id';
SET @SQLQUERY = REPLACE(@SQLQUERY, '<tab_name>', QUOTENAME(@TableName));
SET @ParamDefinition=N'@Brief nvarchar(50),@Full nvarchar(MAX),
@CreatedBy varchar(256),@Department varchar(256),
@Answer nvarchar(MAX),@Id int';
EXEC [dbo].[sp_executesql] @SQLQUERY,
@ParamDefinition,
@Brief,@Full,@CreatedBy, @Department,@Answer,@Id;
笔记:
SYSNAME数据类型.QUOTENAME(以避免潜在的SQL注入攻击).@CreatedBy是datetime这就是为什么我不明白为什么它是作为传递varchar(256).;.在将来的版本中,这将是强制性的.| 归档时间: |
|
| 查看次数: |
53 次 |
| 最近记录: |