我是开发人员而且我很厌恶SQL :)请帮助我。
我想创建自己的存储过程,在我的SaaS数据库中创建租户。为此,我需要为租户创建一个新的SQL登录,然后将其添加到预定义的SQL角色。
我只是在尝试创建Login时感到难过。这是我试过的......
CREATE PROCEDURE [MyScheme].[Tenants_InsertTenant]
@username nvarchar(2048),
@password nvarchar(2048)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
CREATE LOGIN @username WITH PASSWORD = @password
END
Msg 102,Level 15,State 1,Procedure Tenants_InsertTenant,Line 16 '@username'附近的语法不正确。
Msg 319,Level 15,State 1,Procedure Tenants_InsertTenant,Line 16 关键字'with'附近的语法不正确。如果此语句是公用表表达式,xmlnamespaces子句或更改跟踪上下文子句,则必须以分号结束前一个语句。
我意识到这应该是直截了当的,但是当你的新SQL和SQL管理器错误看起来像我们看起来一样神秘时,最好只是寻求帮助:)
谢谢, 贾斯汀
答案 0 :(得分:9)
显然CREATE LOGIN只接受文字。 您可以尝试将其包装在exec中并将其构建为字符串:
EXEC('CREATE LOGIN ' + quotename(@username) + ' WITH PASSWORD = ' + quotename(@password, ''''))
编辑:为sql注入攻击安全添加了引号“
答案 1 :(得分:5)
可行的解决方案:
sp_addlogin @loginame = 'test', @passwd = 'test', @defdb = 'test'
答案 2 :(得分:2)
试试这个:
declare @t nvarchar(4000)
set @t = N'CREATE LOGIN ''''' + @username + ''''' WITH PASSWORD = ''''' + @password
exec sys.sp_executesql @t
答案 3 :(得分:0)
基于@codeulike和@Galkin的答案,我最终这样做:
Test Case '-[xxxx.CombineLatestTests testCombineLatest_currentValue_receiveOn]' started.
---------- RUN 0
-- Observer 2: 0, Thread: <NSThread: 0x6000004e0f80>{number = 9, name = (null)}
-- Observer 1: 0, Thread: <NSThread: 0x6000004f0000>{number = 7, name = (null)}
-- Observer 2: 20, Thread: <NSThread: 0x6000004f6e00>{number = 6, name = (null)}
-- recieved 0:0 on <NSThread: 0x6000004f0000>{number = 7, name = (null)}
-- Observer 1: 10, Thread: <NSThread: 0x600000439880>{number = 4, name = (null)}
-- recieved 10:20 on <NSThread: 0x600000439880>{number = 4, name = (null)}
---------- RUN 1
-- Observer 2: 0, Thread: <NSThread: 0x6000004f0000>{number = 7, name = (null)}
-- Observer 1: 0, Thread: <NSThread: 0x6000004f6e00>{number = 6, name = (null)}
-- Observer 2: 20, Thread: <NSThread: 0x6000004e0f80>{number = 9, name = (null)}
-- recieved 0:0 on <NSThread: 0x6000004f6e00>{number = 6, name = (null)}
-- Observer 1: 10, Thread: <NSThread: 0x6000004e80c0>{number = 10, name = (null)}
-- recieved 10:20 on <NSThread: 0x6000004e80c0>{number = 10, name = (null)}
---------- RUN 2
-- Observer 2: 0, Thread: <NSThread: 0x6000004f6e00>{number = 6, name = (null)}
-- Observer 1: 0, Thread: <NSThread: 0x6000004e0f80>{number = 9, name = (null)}
-- Observer 2: 20, Thread: <NSThread: 0x6000004e80c0>{number = 10, name = (null)}
-- recieved 0:0 on <NSThread: 0x6000004e0f80>{number = 9, name = (null)}
-- Observer 1: 10, Thread: <NSThread: 0x600000439880>{number = 4, name = (null)}
-- recieved 10:20 on <NSThread: 0x600000439880>{number = 4, name = (null)}
---------- RUN 3
-- Observer 2: 0, Thread: <NSThread: 0x600000439880>{number = 4, name = (null)}
-- Observer 1: 0, Thread: <NSThread: 0x6000004e0f80>{number = 9, name = (null)}
-- Observer 2: 20, Thread: <NSThread: 0x6000004f6e00>{number = 6, name = (null)}
-- recieved 0:0 on <NSThread: 0x6000004e0f80>{number = 9, name = (null)}
-- Observer 1: 10, Thread: <NSThread: 0x6000004e80c0>{number = 10, name = (null)}
-- recieved 10:20 on <NSThread: 0x6000004e80c0>{number = 10, name = (null)}
---------- RUN 4
-- Observer 1: 0, Thread: <NSThread: 0x6000004f6e00>{number = 6, name = (null)}
-- Observer 2: 0, Thread: <NSThread: 0x6000004f0000>{number = 7, name = (null)}
-- recieved 0:0 on <NSThread: 0x6000004f0000>{number = 7, name = (null)}
-- Observer 1: 10, Thread: <NSThread: 0x600000439880>{number = 4, name = (null)}
-- Observer 2: 20, Thread: <NSThread: 0x6000004e80c0>{number = 10, name = (null)}
-- recieved 10:0 on <NSThread: 0x600000439880>{number = 4, name = (null)}
CombineLatestTests.swift:93: error: : Asynchronous wait failed: Exceeded timeout of 3 seconds, with unfulfilled expectations: "expect values".
Test Suite 'CombineLatestTests' failed at 2020-03-04 20:37:24.957.
Executed 3 tests, with 3 failures (0 unexpected) in 18.159 (18.161) seconds
我正在运行SQL Server 2019,并且在<-)内将EXEC(->与QUOTENAME()组合在一起不起作用。
如果我理解microsoft sql injection documentation使用quotename来构建字符串,则执行可以保护您免受SQL注入。