CREATE TABLE students
( id INT,
NAME varchar(20)
)
INSERT INTO students(id,name)VALUES(1,'Danny')
INSERT INTO students(id,name)VALUES(2,'Dave')
INSERT INTO students(id,name)VALUES(3,'Sue')
INSERT INTO students(id,name)VALUES(4,'Jack')
INSERT INTO students(id,name)VALUES(5,'Rita')
INSERT INTO students(id,name)VALUES(6,'Sarah')
这是我的存储过程
alter PROCEDURE emp_sp
(
@std_id as VARCHAR(500),
@std_name as varchar(500)
)
AS
begin
SELECT *FROM Students s
WHERE s.id IN(convert(INT,@std_id) ,',')
AND
s.NAME IN(@std_name)
END
GO
我在这里手动执行
EXEC dbo.emp_sp @std_id='1,2,3', @std_name='"Danny","Dave","Sue"'
但是我收到了这个错误:
Msg 245,Level 16,State 1,Procedure emp_sp,Line 8
时转换失败
将varchar值','转换为数据类型int。
任何人都可以指导我。
答案 0 :(得分:0)
要使您当前的方法正常工作,您将需要使用Dynamic Sql,它将非常脆弱并且容易受到Sql Injection攻击。 Example of this Here
更好的方法是通过表值参数:
CREATE TYPE ttStudentIDs AS TABLE
(
ID INT
);
GO
CREATE TYPE ttStudentNames AS TABLE
(
Name VARCHAR(20)
);
GO
CREATE PROCEDURE dbo.emp_sp
(
@stdIds ttStudentIDs READONLY,
@stdNames ttStudentNames READONLY
)
AS
begin
SELECT s.ID, s.Name
FROM Students s
INNER JOIN @stdIds si
ON s.ID = si.ID
UNION
SELECT s.ID, s.Name
FROM Students s
INNER JOIN @stdNames sn
ON s.Name = sn.Name;
END
GO
并且这样称呼:
DECLARE @Ids AS ttStudentIDs;
DECLARE @Names AS ttStudentNames;
INSERT INTO @Ids VALUES (1),(2),(3);
INSERT INTO @Names VALUES ('Danny'),('Dave'),('Sue');
EXEC dbo.emp_sp @Ids, @Names;