我正在使用以下程序 如果我使用“in clause”中的attendancecodeid接受inetger值,我怎样才能从vb.net传递我的“sql过程在子句中”的参数,我试过很多东西对我来说找不到解决办法,
alter procedure MPEX_SP_ActivityException_Select
@startDate date,@endDate date,@AttCode nvarchar(max)
as
begin
set nocount on
select e.employeeId,e.Badge,e.LastName,e.FirstName,a.Date,ac.code
from employee e join attendance a on a.fkEmployee=e.employeeId
join attendancecodes ac on ac.attendancecodesid=a.fkattendancecode
where a.Date between @startDate and @endDate and ac.code in (@AttCode )
end
go
提前致谢
Arasu
答案 0 :(得分:1)
这可能是重复的,但我找不到类似问题的任何答案,这些问题表明存储过程的表值参数可能是一个可行的解决方案,并且不需要动态SQL和SQL注入的风险(并非所有黑客都与此风险相关)。表值参数也应该提供更好的性能,因为可以存储执行计划,而不是动态解决方案,其中必须动态创建计划。
CREATE TYPE dbo.AttCodeTableType AS TABLE (AttCode VARCHAR(MAX))
GO
CREATE PROCEDURE PEX_SP_ActivityException_Select (@startDate DATE, @EndDate DATE, @AttCodes dbo.AttCodeTableType READONLY)
AS
BEGIN
SELECT e.EmployeeID, e.Badge, e.LastName, e.FirstName, a.Date, ac.Code
FROM Employee e
INNER JOIN Attendance a
ON a.FKEmployee = e.EmployeeID
INNER JOIN AttendanceCodes ac
ON ac.AttendanceCodesID = a.FKAttendanceCode
INNER JOIN @AttCodes act
ON act.AttCode = ac.Code
WHERE a.Date BETWEEN @StartDate AND @EndDate
END
GO
然后执行该程序,您可以使用以下内容:
DECLARE @Table AS dbo.AttCodeTableType
INSERT @Table VALUES ('Code1'), ('Code2'), ('Code3')
EXEC PEX_SP_ActivityException_Select @Table
要从vb.net中的数据表创建SQL参数,您可以使用以下内容:
dim sqlParam as new SqlParameter("@Table", DataTable)
sqlParam.SqlDbType = SqlDbType.Structured
sqlParam.TypeName = "dbo.AttCodeTableType"
阅读here了解详情。
最后,继续接受您的接受率!!!