'，'附近的语法不正确。 exec sp_executesql

Question

ALTER PROCEDURE [dbo].[proc_bandejaPedidos]
    @id_usuario INT = 0,
    @selector NVARCHAR(50) = '',
    @order NVARCHAR(50) = '',
    @consulta NVARCHAR(MAX) = ''
AS
BEGIN
    SET NOCOUNT ON;

    IF(@selector = '' AND @order = '')
            SET @selector = 'pedi.fecha_creacion';
            SET @order = 'DESC';

    SET @consulta = 'pedi.id,pedi.folio,pedi.cliente_id,
                     eniac_clientes.rfc,
                     eniac_clientes.nombre+\" \"+eniac_clientes.apellido_paterno+\" \"+eniac_clientes.apellido_paterno AS Cliente,
                     pedi.fecha_creacion,
                     pedi.importe,
                     estatus_pi.estatus,
                     eniac_sucursales.nombre AS sucursal

                     FROM pedidos AS pedi

    INNER JOIN gestion_pedidos_eniac.dbo.sucursales AS eniac_sucursales ON eniac_sucursales.id_sucursal = pedi.sucursal_id
    INNER JOIN gestion_pedidos_eniac.dbo.clientes AS eniac_clientes ON eniac_clientes.id = pedi.cliente_id
    INNER JOIN estatus_pedido AS estatus_pi ON estatus_pi.id = pedi.estatus

    WHERE pedi.usuario_id = '+ CAST(@id_usuario AS NVARCHAR)+'
    ORDER BY ' + @selector + ' '+ @order + ''

    EXEC sp_executesql @consulta

END

错误是：

  

＆＃39;，＆＃39;

附近的语法不正确

我不明白，如果整个查询没有任何错误，那就没问题。

非常感谢您的帮助

Answer 1

试试这个：

1. 您错过了select
2. 使用''''代替\" \"

3. 使用打印输出调试查询

    ALTER PROCEDURE [dbo].[proc_bandejaPedidos]
   
       @id_usuario INT = 0,
       @selector NVARCHAR(50) = '',
       @order NVARCHAR(50) = '',
       @consulta NVARCHAR(MAX) = ''
   AS
   
   BEGIN
   
       SET NOCOUNT ON;
       IF(@selector = '' AND @order = '')
               SET @selector = 'pedi.fecha_creacion';
               SET @order = 'DESC';
   
       SET @consulta = 'select pedi.id,pedi.folio,pedi.cliente_id,
                        eniac_clientes.rfc,
                        eniac_clientes.nombre+'' ''+eniac_clientes.apellido_paterno+'' ''+eniac_clientes.apellido_paterno AS Cliente,
                        pedi.fecha_creacion,
                        pedi.importe,
                        estatus_pi.estatus,
                        eniac_sucursales.nombre AS sucursal
   
                        FROM pedidos AS pedi
   
       INNER JOIN gestion_pedidos_eniac.dbo.sucursales AS eniac_sucursales ON eniac_sucursales.id_sucursal = pedi.sucursal_id
       INNER JOIN gestion_pedidos_eniac.dbo.clientes AS eniac_clientes ON eniac_clientes.id = pedi.cliente_id
       INNER JOIN estatus_pedido AS estatus_pi ON estatus_pi.id = pedi.estatus
   
       WHERE pedi.usuario_id = '+ CAST(@id_usuario AS NVARCHAR)+'
       ORDER BY ' + @selector + ' '+ @order + ''
   
       EXEC sp_executesql @consulta
   
   
     print (@consulta) END
   

Answer 2

SET @consulta = 'pedi.id,pedi.folio,pedi.cliente_id,
应该是 SET @consulta = 'SELECT pedi.id,pedi.folio,pedi.cliente_id,

Answer 3

您的陈述中遗漏了select。

应该是SET @consulta = 'select pedi.id,pedi.folio,pedi.cliente_id,等等

Answer 4

您的代码中存在一些问题。

• 将SELECT添加到代码的开头： 'SELECT pedi.id,pedi.folio, ...
• 将BEGIN/END添加到IF子句中，因为现在第二行始终运行：
  IF（@selector =＆＃39;＆＃39; AND @order =＆＃39;＆＃39;）         SET @selector =＆＃39; pedi.fecha_creacion＆＃39 ;;         SET @order =＆＃39; DESC＆＃39;;
• 您没有过滤输入并且可以进行SQL注入
• 使用''代替\"