转义引号 - 存储过程 - MS SQL 2008

时间:2012-09-11 17:17:48

标签: sql-server stored-procedures escaping double-quotes

我正在使用MS SQL 2008中的存储过程 我的代码的问题在于UPDATE部分。我试图替换以单引号开头的字符串。

这是我正在搜索的字符串,我希望不用任何东西替换它。这可能是逃避报价等问题吗?

">%http%<!--

非常感谢。 以下是存储过程。

USE [cop_pcms]
GO
/****** Object:  StoredProcedure [dbo].[SearchAllTablesWildcard_Replace2]    Script    Date: 09/11/2012 11:33:46 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROC [dbo].[SearchAllTablesWildcard_Replace2]
(
@SearchStr nvarchar(100)
)
AS
BEGIN


CREATE TABLE #Results (ColumnName nvarchar(370), ColumnValue nvarchar(3630))

SET NOCOUNT ON

DECLARE @SQL NVARCHAR(4000)

DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @SearchStr2 nvarchar(110)
SET  @TableName = ''
SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')

WHILE @TableName IS NOT NULL
BEGIN
    SET @ColumnName = ''
    SET @TableName = 
    (
        SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
        FROM    INFORMATION_SCHEMA.TABLES
        WHERE       TABLE_TYPE = 'BASE TABLE'
            AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
            AND OBJECTPROPERTY(
                    OBJECT_ID(
                        QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)
                         ), 'IsMSShipped'
                           ) = 0
    )

    WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)
    BEGIN
        SET @ColumnName =
        (
            SELECT MIN(QUOTENAME(COLUMN_NAME))
            FROM    INFORMATION_SCHEMA.COLUMNS
            WHERE       TABLE_SCHEMA    = PARSENAME(@TableName, 2)
                AND TABLE_NAME  = PARSENAME(@TableName, 1)
                AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')
                AND QUOTENAME(COLUMN_NAME) > @ColumnName
        )

        IF @ColumnName IS NOT NULL
        BEGIN
            INSERT INTO #Results
            EXEC
            (
                'SELECT ''' + @TableName + '.' + @ColumnName + ''', LEFT(' + @ColumnName + ', 3630)' +
                ' FROM ' + @TableName + ' (NOLOCK) ' +
                ' WHERE ' + @ColumnName + ' like ' + @SearchStr2
            )
        END


        IF @ColumnName IS NOT NULL        
        BEGIN
            SET @SQL = 'UPDATE ' + @TableName + 
            ' SET ' + @ColumnName + ' = REPLACE(' + @ColumnName + ',' + @SearchStr2 + ',' + ''''')' +
            ' WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2 
            EXEC(@SQL)
        END        

    END 
END

SELECT ColumnName, ColumnValue FROM #Results
 END

1 个答案:

答案 0 :(得分:0)

我很难弄清楚你的问题是什么......但是......

如果您想要替换双引号

,这应该可以做到你想要的
select REPLACE('testing"testing','"','')

如果您想要替换字符串“&gt;%http%,此示例也应该有效

select REPLACE('testing">%http%<!--testing','">%http%<!--','')

然而这不会做任何事情

select REPLACE('testing">**http**<!--testing','">%http%<!--','')

更清楚。这也没有...注意:%不是“模式”中的通配符

select REPLACE('1111a23333','1a%3','')

同样QUOTENAME(TABLE_NAME)会在我认为您认为正在发生的事情周围放置方括号?

所以这可能是你的问题

REPLACE(' + @ColumnName + ',' + @SearchStr2 + ',' + ''''')'

这正在取代东西......后面是两个单引号。

请参阅:REPLACE (Transact-SQL)