出于某种原因,我无法宣布@wsDateFrom& @wsDateTo变量将在以下动态列SQL代码中使用。
DECLARE @cols AS NVARCHAR(MAX),
@query AS NVARCHAR(MAX)
DECLARE @wsDateFrom AS smalldatetime
DECLARE @wsDateTo AS smalldatetime
SET @wsDateFrom = '01-JAN-2015'
SET @wsDateTo = '30-JUN-2015'
select @cols = STUFF((SELECT DISTINCT ',' + QUOTENAME(a.AbsenceDescription)
FROM dbo.tblAbsentCodes AS a
FOR XML PATH(''), TYPE).value('.', 'NVARCHAR(MAX)'),1,1,'')
set @query = N'SELECT StudentID, ' + @cols +
'FROM (SELECT a.StudentID, ab.AbsenceDescription, a.AttendanceID
FROM dbo.tblAttendance AS a
INNER JOIN tblCalendar c
ON a.DateID = c.DateID
INNER JOIN tblAbsentCodes as ab
ON ab.AbsenceID = a.AbsenceID
WHERE c.DayDate BETWEEN @wsDateFrom AND @wsDateTo) AS p
PIVOT (COUNT(AttendanceID) FOR AbsenceDescription IN (' + @cols + ')) AS pvt '
execute(@query)
我得到的错误是
必须声明标量变量" @ wsDateFrom"。
但它就在那里!或者我应该以某种方式将DECLARE置于@query中?
如果是这种情况那么我如何在函数或存储过程中传递这两个日期变量?它会为sql-injection打开它不会吗?
答案 0 :(得分:2)
不,它不存在。 试试这个:
DECLARE @cols AS NVARCHAR(MAX),
@query AS NVARCHAR(MAX)
DECLARE @wsDateFrom AS smalldatetime
DECLARE @wsDateTo AS smalldatetime
SET @wsDateFrom = '01-JAN-2015'
SET @wsDateTo = '30-JUN-2015'
select @cols = STUFF((SELECT DISTINCT ',' + QUOTENAME(a.AbsenceDescription)
FROM dbo.tblAbsentCodes AS a
FOR XML PATH(''), TYPE).value('.', 'NVARCHAR(MAX)'),1,1,'')
set @query = N'SELECT StudentID, ' + @cols +
'FROM (SELECT a.StudentID, ab.AbsenceDescription, a.AttendanceID
FROM dbo.tblAttendance AS a
INNER JOIN tblCalendar c
ON a.DateID = c.DateID
INNER JOIN tblAbsentCodes as ab
ON ab.AbsenceID = a.AbsenceID
WHERE c.DayDate BETWEEN ' + @wsDateFrom + 'AND ' + @wsDateTo + ' ) AS p
PIVOT (COUNT(AttendanceID) FOR AbsenceDescription IN (' + @cols + ')) AS pvt '
execute(@query)