我已经存储了搜索程序。
ALTER Proc [dbo].[USP_GETFAQ]
@SortBy Varchar(128)='CreatedDate DESC',
@Page int=1,
@RecsPerPage int =10,
@Status Char(5)='',
@Question varchar(500)='',
@Answer varchar(1000)=''
As
DECLARE @SQL VARCHAR(MAX)
DECLARE @DSQL VARCHAR(MAX)
DECLARE @whereCondition VARCHAR(1024)
DECLARE @FirstRec int, @LastRec int
SET @FirstRec = (@Page - 1) * @RecsPerPage
SET @LastRec = (@Page * @RecsPerPage + 1)
Declare @SectionCount int;
Set NoCount On
Begin
SET @SQL='Select
ROW_NUMBER() over( order by '+@SortBy +') rownum,
* FROM faq where Status <>''D'''
if @Status !='' and @Status is not null AND @Status!='ALL'
begin
SET @SQL+=' AND Status = '''+@Status+''''
end
if @Question!=''
begin
SET @SQL +=' AND Question like '''+'%'+REPLACE(@Question, '''', '')+'%'+''''
end
if @Answer!=''
begin
SET @SQL +=' AND Answer like '''+'%'+REPLACE(@Answer, '''', '')+'%'+''''
end
SET @DSQL='SELECT * from (' + @SQL +') AS tbl'
print @DSQL
DECLARE @TEMPResult TABLE(RowNum INT,
ID uniqueIdentifier,
Question varchar(500),
Answer varchar(1000),
CreatedDate DateTime,
LastModifiedDate dateTime,
CreatedByIp varchar(20),
LastModifiedByIp varchar(20),
CreatedBy varchar(50),
ModifiedBy varchar(50),
[Order] int,
Status char(5)
)
INSERT INTO @TEMPResult EXEC(@DSQL)
SELECT (Select Count(*) from @TEMPResult) as Count,ID,SUBSTRING(question, 1, 200)question ,SUBSTRING(Answer, 1,250)Answer,
CreatedDate,LastModifiedDate,CreatedByIp ,LastModifiedByIp,CreatedBy,ModifiedBy, [Order], Status FROM @TEMPResult WHERE RowNum > @FirstRec AND RowNum < @LastRec
RETURN
End
当问题或答案包含“'”时,我会收到错误消息。在“'”附近,synatx错了。
到目前为止,我所尝试的是:
在将字符串传递给存储过程之前,我已将“'”替换为“''''”。它运行成功,但没有返回任何记录,请帮助我,我该怎么做。
答案 0 :(得分:0)
您的方法将导致sql注入 MSDN SQL injection
尝试使用EXEC sp_executesql @SQLString, @ParamDef, @paramList ...
您的代码:
ALTER Proc [dbo].[USP_GETFAQ]
@SortBy Varchar(128)='CreatedDate DESC',
@Page int=1,
@RecsPerPage int =10,
@Status Char(5)='',
@Question varchar(500)='',
@Answer varchar(1000)=''
As
DECLARE @SQL NVARCHAR(MAX)
DECLARE @FirstRec int, @LastRec int
SET @FirstRec = (@Page - 1) * @RecsPerPage
SET @LastRec = (@Page * @RecsPerPage + 1)
Declare @SectionCount int;
Set NoCount On
Begin
SET @SQL='SELECT * from (
Select ROW_NUMBER() over( order by '+@SortBy +') rownum,
* FROM faq where Status <>''D'''
if @Status !='' and @Status is not null AND @Status!='ALL'
begin
SET @SQL+=' AND Status = @Status '
end
if @Question!=''
begin
SET @Question = '%'+@Question+'%'
SET @SQL +=' AND Question like @Question'
end
if @Answer!=''
begin
SET @Answer = '%'+@Answer+'%'
SET @SQL +=' AND Answer like @Answer'
end
SET @SQL += ') AS tbl'
print @SQL
DECLARE @ParamDefinition nvarchar(4000)
SET @ParamDefinition =
'@Status Char(5),
@Question varchar(500),
@Answer varchar(1000)';
DECLARE @TEMPResult TABLE(RowNum INT,
ID uniqueIdentifier,
Question varchar(500),
Answer varchar(1000),
CreatedDate DateTime,
LastModifiedDate dateTime,
CreatedByIp varchar(20),
LastModifiedByIp varchar(20),
CreatedBy varchar(50),
ModifiedBy varchar(50),
[Order] int,
Status char(5)
)
INSERT INTO @TEMPResult
EXECUTE sp_executesql @SQL, @ParamDefinition
,@Status = @Status
,@Question = @Question
,@Answer = @Answer
SELECT (Select Count(*) from @TEMPResult) as Count,ID,SUBSTRING(question, 1, 200)question ,SUBSTRING(Answer, 1,250)Answer,
CreatedDate,LastModifiedDate,CreatedByIp ,LastModifiedByIp,CreatedBy,ModifiedBy, [Order], Status FROM @TEMPResult WHERE RowNum > @FirstRec AND RowNum < @LastRec
RETURN
End
答案 1 :(得分:0)
连续使用3个单引号。喜欢 '''。不要使用任何双引号。