我有一个asp.net 4.0应用程序命中sql 2008 db。我有一个非常基本的存储过程,旨在返回记录。当我在.net ide服务器资源管理器中执行它时它工作。但是当我逐步浏览.net代码时,即使变量以我喜欢的方式传递(并且之前已经完成了许多imes),也没有返回任何内容。这是存储过程...
ALTER PROCEDURE get_cases_by_search_criteria
@vin as varchar(50) = null
AS
declare @sqlstr varchar(5000)
set @sqlstr = 'SELECT
[Case].CaseID,
[Case].VIN,
[Case].Make,
[Case].Model,
Contact.FirstName,
Contact.LastName,
FROM [Case] INNER JOIN
Contact ON [Case].CaseID = Contact.CaseID
Where Contact.ContactTypeID = 1 '
if @vin is not null and @vin <> ''
BEGIN
set @sqlstr = @sqlstr + ' and ' + ('[Case].VIN = ''' + convert(varchar,@vin) + '''')
END
exec(@sqlstr)
这就是我传递价值的方式......
'non-specific parameter
param1 = oFactory.CreateParameter()
param1.ParameterName = "@vin"
param1.DbType = DbType.String
param1.Value = oSearchCriteria.VIN
oCmd.Parameters.Add(param1)
oCmd.CommandType = CommandType.StoredProcedure
oCmd.CommandText = "get_cases_by_search_criteria"
Using (oConnection)
oConnection.Open()
oReader = oCmd.ExecuteReader()
While oReader.Read
答案 0 :(得分:0)
@vin等于'; DROP DATABASE UserDB; --时会发生什么?
这可能不是您要解决的问题,但是您使用动态SQL的方式使您容易受到SQL Injection Attack的攻击。</ p>
您应使用exec(@sql)并参数化sp_executesql
@vin字符串
DECLARE @sqlstr varchar(5000)
DECLARE @ParmDefinition NVARCHAR(500)
SET @sqlstr = 'SELECT
[Case].CaseID,
[Case].VIN,
[Case].Make,
[Case].Model,
Contact.FirstName,
Contact.LastName,
FROM [Case] INNER JOIN
Contact ON [Case].CaseID = Contact.CaseID
Where Contact.ContactTypeID = 1 '
IF @vin is not null and @vin <> ''
BEGIN
SET @sqlstr = @sqlstr + ' and [Case].VIN = @vinparm'
END
SET @ParmDefinition = N'@vinparm varchar(50)'
EXECUTE sp_executesql @sqlstr, @ParmDefinition, @vinparm = @vin