因此,在SQL Server 2008+上,该函数有效:
CREATE ASYMMETRIC KEY Asym_Key_Name
[ AUTHORIZATION database_principal_name ]
[ FROM <Asym_Key_Source> ]
[ WITH <key_option> ]
[ ENCRYPTION BY <encrypting_mechanism> ]
[ ; ]
我想使用一个参数来提供Asym_Key_Name和ENCRYPTION BY PASSWORD的参数,因此它不是硬编码的。问题就出在这里。我该怎么办?
这有效(硬编码,对我无用):
CREATE PROCEDURE [dbo].[asi_spCryptomodServer_NewKeyPair]
@KeyName nvarchar(128),
@KeyPassword nvarchar(128)
AS
BEGIN
CREATE ASYMMETRIC KEY blah
WITH ALGORITHM = RSA_2048
ENCRYPTION BY PASSWORD = '123P@ssword';
END
GO
这是我想要的,但是SQL Server不喜欢它:
CREATE PROCEDURE [dbo].[asi_spCryptomodServer_NewKeyPair]
@KeyName nvarchar(128),
@KeyPassword nvarchar(128)
AS
BEGIN
CREATE ASYMMETRIC KEY @KeyName
WITH ALGORITHM = RSA_2048
ENCRYPTION BY PASSWORD = @KeyPassword;
END
GO
后者返回:
消息102,级别15,状态1,过程asi_spCryptomodServer_NewKeyPair,第11行[批处理开始第4行] “ @KeyName”附近的语法不正确。 消息319,级别15,状态1,过程asi_spCryptomodServer_NewKeyPair,第12行[批处理开始第4行] 关键字“ with”附近的语法不正确。如果此语句是公用表表达式,xmlnamespaces子句或更改跟踪上下文子句,则前一条语句必须以分号终止。
^如何修复逻辑,以便可以在参数中传递Asym_Key_Name和密码?
===基于评论===
我采用了动态SQL作为解决方案。因此,下一个问题是,如何使用以下代码防止SQL注入:
CREATE PROCEDURE [dbo].[asi_spCryptomodServer_NewKeyPair]
@KeyName nvarchar(128),
@KeyPassword nvarchar(128)
AS
BEGIN
BEGIN TRY
DECLARE @KeyPasswordPost nvarchar(128)
SET @KeyPasswordPost = 'N''' + @KeyPassword + ''''
DECLARE @KEYSTATEMENT As nvarchar(1024)
Set @KEYSTATEMENT = 'CREATE ASYMMETRIC KEY ' + @KeyName
Set @KEYSTATEMENT = @KEYSTATEMENT + ' WITH ALGORITHM = RSA_2048 ENCRYPTION BY PASSWORD = ' + @KeyPasswordPost + ';'
EXECUTE sp_Executesql @KEYSTATEMENT
END TRY
BEGIN CATCH
RAISERROR (15600,-1,-1, 'asi_spCryptomodServer_NewKeyPair');
END CATCH
END
GO