使用存储过程创建视图时出错

时间:2012-09-18 17:06:01

标签: sql-server-2008 tsql stored-procedures dynamic-sql sql-view

我有以下创建视图的存储过程:

ALTER PROC Proc_Guards_By_Client
(
    @client_number INT,
    @client_name   NVARCHAR(16)
)
AS
 BEGIN
   IF EXISTS(select * FROM sys.views where name = 'vwGuardsByClients')
   BEGIN
    EXEC ('CREATE VIEW vwGuardsByClients
    AS
    SELECT TOP 1000 
      cgt.[guard_id],
      sg.first_name,
      sg.last_name,
      sg.ammunition_quantity    
      FROM [sws4].[dbo].[client_guard_tracking] cgt
      INNER JOIN CLIENTS c
      ON c.client_number = cgt.client_number
      INNER JOIN security_guard sg
      ON sg.guard_id = cgt.guard_id
      WHERE cgt.client_number = @client_number
      OR c.client_name = @client_name
    ')
    END
    ELSE
    BEGIN
      EXEC ('UPDATE VIEW vwGuardsByClients
      SELECT TOP 1000 
      cgt.[guard_id],
      sg.first_name,
      sg.last_name,
      sg.ammunition_quantity    
      FROM [sws4].[dbo].[client_guard_tracking] cgt
      INNER JOIN CLIENTS c
      ON c.client_number = cgt.client_number
      INNER JOIN security_guard sg
      ON sg.guard_id = cgt.guard_id
      WHERE cgt.client_number = @client_number
      OR c.client_name = @client_name
    ')
    END

    IF @@ROWCOUNT = 0
        PRINT 'Warning: No rows were updated'
 END

但是当我执行它时,我得到了:

Msg 156, Level 15, State 1, Line 2
Incorrect syntax near the keyword 'VIEW'.

Msg 137, Level 15, State 2, Line 14
Must declare the scalar variable "@client_number".

2 个答案:

答案 0 :(得分:5)

仍有各种问题。当你承认它是倒退的时候,你的逻辑仍然向前,as you did yesterday。怎么还是错的?现在它说:

  

如果视图已存在:   
让我们创造它!   
  
否则,如果视图尚不存在:   
让我们编辑它!

下一个问题是您使用语法UPDATE VIEW。昨天你试图使用CREATE OR REPLACE。两者都没有效。您需要ALTER VIEW

您还在使用@@ROWCOUNT来检查是否成功。这不是成功创建或更改视图的有效检查(也可能不适合更新/删除检查,但这是一个不同的问题)。正如我昨天解释的那样,你应该使用TRY/CATCH

最后,你试图在EXEC()内部连接变量 - 并且你追加一个字符串变量忽略了它包含撇号(')的可能性,它会破坏你的查询(可能有一个SQL注入也在这里关注)。为此,您应该使用sp_executeSQL。事实上,更好的做法是不要浪费地重复所有视图代码:

ALTER PROCEDURE dbo.Proc_Guards_By_Client
  @client_number  INT,
  @client_name    NVARCHAR(16)
AS
BEGIN
  SET NOCOUNT ON;

  DECLARE @sql NVARCHAR(MAX) = N' VIEW dbo.vmGuardsByClient
    AS
      SELECT ... rest of view code ...
      WHERE cgt.client_number = ' + CONVERT(VARCHAR(12), @client_number) + 
       ' OR c.client_name = ''' + REPLACE(@client_name, '''', '''''') + ''';';

  SET @sql = CASE WHEN EXISTS
    (SELECT 1 FROM sys.views WHERE [object_id] = OBJECT_ID('dbo.vwGuardsByClients'))
    THEN N'ALTER' ELSE N'CREATE' + @sql;

  BEGIN TRY
    EXEC sp_executesql @sql;
  END TRY
  BEGIN CATCH
    PRINT ERROR_MESSAGE();
  END CATCH
END
GO

不过,我不得不问。为什么需要为特定视图创建一个不知道视图是否已存在的存储过程?一旦您创建了此视图一次,代码的CREATE VIEW部分将如何再次执行?您的所有用户都拥有dbo / sa权限吗?此视图是否真的有被丢弃的危险?您是否尝试为每个客户创建一个视图?如果是这样,您最好考虑将客户端名称添加到视图的名称中。在当前场景中,每当新客户端尝试运行代码时,您将替换现有视图,然后当先前用户从视图中进行选择时,他们会惊讶于他们不再看到自己的数据。 / p>

答案 1 :(得分:2)

希望以下内容有所帮助。问题是在构建语句时使用内联参数

ALTER PROC Proc_Guards_By_Client
(
  @client_number         INT
  ,@client_name              NVARCHAR(16)
)
AS
BEGIN
/****** Script for SelectTopNRows command from SSMS  ******/

  IF EXISTS(select * FROM sys.views where name = 'vwGuardsByClients')
  BEGIN

  EXEC ('
  UPDATE VIEW vwGuardsByClients

SELECT TOP 1000 
  cgt.[guard_id],
  sg.first_name,
  sg.last_name,
  sg.ammunition_quantity    
  FROM [sws4].[dbo].[client_guard_tracking] cgt
  INNER JOIN CLIENTS c
  ON c.client_number = cgt.client_number
  INNER JOIN security_guard sg
  ON sg.guard_id = cgt.guard_id
  WHERE cgt.client_number = ' + cast(@client_number as varchar(10)) + 
  '  OR c.client_name = ''' + @client_name + '''
')
-- Here you missing one character '
  END
ELSE
BEGIN
   EXEC ('CREATE VIEW vwGuardsByClients
   AS
   SELECT TOP 1000 
  cgt.[guard_id],
  sg.first_name,
  sg.last_name,
  sg.ammunition_quantity    
  FROM [sws4].[dbo].[client_guard_tracking] cgt
  INNER JOIN CLIENTS c
  ON c.client_number = cgt.client_number
  INNER JOIN security_guard sg
  ON sg.guard_id = cgt.guard_id
  WHERE cgt.client_number = ' + cast(@client_number as varchar(10)) + 
  ' OR c.client_name = ''' + @client_name + '''
')
END

--SELECT * from vwGuardsByClients

IF @@ROWCOUNT = 0
PRINT 'Warning: No rows were updated'

END