下面的查询会抛出此错误:
Conversion failed when converting the varchar value 'query below that stops at WHERE tsv.Transition_ID =' to data type int
DECLARE @Language_ID INT
SELECT @Language_ID = dbo.BPE_F_Default_Language_GetOne()
DECLARE @Transition_ID int
SET @Transition_ID = -1
DECLARE @SQLSTR nvarchar(4000)
SELECT @SQLSTR = 'SELECT tsv.Transition_Set_Variable_ID
, tsv.Set_To_Variable_ID
, tsv.Transition_ID
, tl.Transition_Text
, tsv.Variable_ID_To_Change
, variable.Name
, tsv.Set_To_Variable_ID
, tsv.Set_To_Value_ID
, tsv.Changed_In_SP
, tsv.Set_To_Comment_Input
, tsv.Comment AS Assigned_Comment
, variable2.Name AS Set_To_Variable_Name
, value.Name AS Set_To_Value_Name
FROM BPE_T_VA_Variable AS variable
INNER JOIN BPE_T_VA_Transition_Set_Variable AS tsv
ON variable.Variable_ID = tsv.Variable_ID_To_Change
LEFT JOIN BPE_T_VA_Variable AS variable2
ON tsv.Set_To_Variable_ID = variable2.Variable_ID
LEFT JOIN BPE_T_VA_Value AS value
ON tsv.Set_To_Value_ID = value.Value_ID
INNER JOIN BPE_T_WF_Transition_Localisation AS tl
ON tsv.Transition_ID = tl.WF_Transition_ID
WHERE tsv.Transition_ID = ' + @Transition_ID + ' OR ' + @Transition_ID + ' = -1
AND (' + @Column + ' LIKE ''%''' + @search_string + '''%'' )
AND tl.Language_ID = ' + @Language_ID + '
ORDER BY tsv.Transition_ID, variable.Name'
EXEC(@SQLSTR);
任何人都知道这可能是什么?
答案 0 :(得分:2)
@Transition_ID是INT,您必须先将其转换为VARCHAR,然后再与其余字符串连接。
但是,最好使用sp_executeSql,并在查询中参数化@Transition_ID和@search_string参数。目前看来,它可能容易受到Sql Injection Attack的攻击。</ p>
此外,请谨慎使用@Column中允许的值,最好使用白名单,因为这不能按照您使用它的方式进行参数化,而且还可以打开你攻击。
答案 1 :(得分:0)
由于您要将INT连接到字符串,您必须将其转换,否则会引发错误。
添加以下内容:
cast(@Transition_ID as varchar(50))
制作完整的剧本:
DECLARE @Language_ID INT
SELECT @Language_ID = dbo.BPE_F_Default_Language_GetOne()
DECLARE @Transition_ID int
SET @Transition_ID = -1
DECLARE @SQLSTR nvarchar(4000)
SELECT @SQLSTR = 'SELECT tsv.Transition_Set_Variable_ID
, tsv.Set_To_Variable_ID
, tsv.Transition_ID
, tl.Transition_Text
, tsv.Variable_ID_To_Change
, variable.Name
, tsv.Set_To_Variable_ID
, tsv.Set_To_Value_ID
, tsv.Changed_In_SP
, tsv.Set_To_Comment_Input
, tsv.Comment AS Assigned_Comment
, variable2.Name AS Set_To_Variable_Name
, value.Name AS Set_To_Value_Name
FROM BPE_T_VA_Variable AS variable
INNER JOIN BPE_T_VA_Transition_Set_Variable AS tsv
ON variable.Variable_ID = tsv.Variable_ID_To_Change
LEFT JOIN BPE_T_VA_Variable AS variable2
ON tsv.Set_To_Variable_ID = variable2.Variable_ID
LEFT JOIN BPE_T_VA_Value AS value
ON tsv.Set_To_Value_ID = value.Value_ID
INNER JOIN BPE_T_WF_Transition_Localisation AS tl
ON tsv.Transition_ID = tl.WF_Transition_ID
WHERE tsv.Transition_ID = ' + cast(@Transition_ID as varchar(50)) + ' OR ' + cast(@Transition_ID as varchar(50)) + ' = -1
AND (' + @Column + ' LIKE ''%''' + @search_string + '''%'' )
AND tl.Language_ID = ' + @Language_ID + '
ORDER BY tsv.Transition_ID, variable.Name'
EXEC(@SQLSTR);
答案 2 :(得分:0)
将Int变量转换为varchar:
SELECT @SQLSTR = 'SELECT tsv.Transition_Set_Variable_ID
, tsv.Set_To_Variable_ID
, tsv.Transition_ID
, tl.Transition_Text
, tsv.Variable_ID_To_Change
, variable.Name
, tsv.Set_To_Variable_ID
, tsv.Set_To_Value_ID
, tsv.Changed_In_SP
, tsv.Set_To_Comment_Input
, tsv.Comment AS Assigned_Comment
, variable2.Name AS Set_To_Variable_Name
, value.Name AS Set_To_Value_Name
FROM BPE_T_VA_Variable AS variable
INNER JOIN BPE_T_VA_Transition_Set_Variable AS tsv
ON variable.Variable_ID = tsv.Variable_ID_To_Change
LEFT JOIN BPE_T_VA_Variable AS variable2
ON tsv.Set_To_Variable_ID = variable2.Variable_ID
LEFT JOIN BPE_T_VA_Value AS value
ON tsv.Set_To_Value_ID = value.Value_ID
INNER JOIN BPE_T_WF_Transition_Localisation AS tl
ON tsv.Transition_ID = tl.WF_Transition_ID
WHERE tsv.Transition_ID = ' + cast(@Transition_ID as varchar) + ' OR ' + cast(@Transition_ID as varchar) + ' = -1
AND (' + @Column + ' LIKE ''%''' + @search_string + '''%'' )
AND tl.Language_ID = ' + cast(@Language_ID as varchar) + '
ORDER BY tsv.Transition_ID, variable.Name'
答案 3 :(得分:0)
这不会导致你出现问题吗?
WHERE tsv.Transition_ID = ' + @Transition_ID + ' OR ' + @Transition_ID + ' = -1
我认为它必须是
WHERE tsv.Transition_ID = ' + @Transition_ID + ' OR tsv.Transition_ID =' + @Transition_ID + ' = -1
因为你将值设置为-1,我希望SQL(如果你打印它)看起来像:
WHERE tsv.Transition_ID = -1 OR -1 = -1