堆栈内存溢出
  简体   繁体   English

调用存储过程后执行查询

[英]Execute a Query After Call a stored procedure

 原文  2014-02-09 06:36:38       c#

问题描述

This is my stored procedure 这是我的存储过程 

CREATE DEFINER=`root`@`localhost` PROCEDURE `sp_CPC`(
    IN _B VARCHAR(100),
    IN _G      VARCHAR(2),     
    IN _R VARCHAR(30), 
    IN _D VARCHAR(30), 
    OUT _C FLOAT, 
    OUT _P FLOAT)
BEGIN
  //Something Hear
END$$
DELIMITER ;

I Call this stored procedure by C# flowing Code 我通过C#流代码调用此存储过程 

DataSet tmpDataSet = new DataSet();
mCommand.CommandText = "sp_CPC";
mCommand.CommandType = CommandType.StoredProcedure;
// mCommand.CommandText = "sp_select_all_employees";
mCommand.Parameters.AddWithValue("@_B", "bty-23");
mCommand.Parameters.AddWithValue("@_G", "3");
mCommand.Parameters.AddWithValue("@_R", "9000");
mCommand.Parameters.AddWithValue("@_D", "92");

mCommand.Parameters.Add("@_C",MySqlDbType.Float);
mCommand.Parameters["@_C"].Direction = ParameterDirection.Output;
mCommand.Parameters.Add("@_P", MySqlDbType.Float);
mCommand.Parameters["@_P"].Direction = ParameterDirection.Output;

try
{
    mConnection.Open();
    mCommand.ExecuteNonQuery();
    mAdapter.Fill(tmpDataSet)
}
catch (Exception ex)
{
    strErrorInfo = ex.ToString();
}
finally
{
    mConnection.Close();
}
DataTable dtb = tmpDataSet.Tables[0];
         mCommand.CommandText = "INSERT INTO abc (xxxx,yyyy) VALUES ('" + dtb.Rows[0][0] + "','" + dtb.Rows[0][1] + "')";           
         mConnection.Open();
         mCommand.ExecuteNonQuery();     
         mConnection.Close();
return tmpDataSet;

it show error in this command mCommand.ExecuteNonQuery(); 它在此命令中显示错误mCommand.ExecuteNonQuery(); You have an error in your SQL syntax; 您的SQL语法有误; check the manual that corresponds to your MySQL server version for the right syntax to use near '-14' AND name LIKE '5378377032052','6'' at line 1. 检查与您的MySQL服务器版本相对应的手册以获取正确的语法,以在'-14'附近使用,并在第1行使用类似'5378377032052','6''的名称。

(Return tmpDataSet) use Because of this data i also use anouther work (返回tmpDataSet)使用由于此数据,我还使用其他工作

1 个解决方案

解决方案1
 0  2014-02-09 07:22:30

The way you construct the INSERT statement is unsafe. 构造INSERT语句的方法不安全。 You concatenate strings that might contain ' characters, so that your INSERT statement becomes invalid - and also prone to SQL injection attacks. 您将可能包含'字符的字符串连接起来,从而使INSERT语句无效-并容易受到SQL注入攻击。 The error message you show in the comments points in this direction. 您在注释中显示的错误消息指向此方向。

In order to solve this, use parameters in the INSERT statement as you did in your stored procedure. 为了解决此问题,请像在存储过程中一样在INSERT语句中使用参数。

Sample: 样品: 

// ...
mCommand.CommandText = "INSERT INTO abc (xxxx,yyyy) VALUES (@val1, @val2)";           
mCommand.Parameters.AddWithValue("@val1", dtb.Rows[0][0]);     
mCommand.Parameters.AddWithValue("@val2", dtb.Rows[0][1]);
// ...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在STORED PROCEDURE调用之前执行SET语句 - Execute SET statement before STORED PROCEDURE call 调用存储过程还是运行sql查询? - Call stored procedure or run sql query? 在Linq-to-Entities查询中调用存储过程 - Call stored procedure in a Linq-to-Entities query 存储过程调用后获取处理数据 - Getting processed data after stored procedure call 存储过程调用后,NHibernate随后读取 - Nhibernate subsequent read after stored procedure call Linq查询执行返回类型为DataTable的存储过程 - Linq query to execute stored procedure with return type as DataTable 无法在nhibernate中使用命名查询执行存储过程 - Unable to execute stored procedure using named query in nhibernate 如何像存储过程一样在C#中执行Access查询 - How to execute Access query in C# like stored procedure 在存储过程中执行循环以在SQL查询中插入数据 - Execute loop in stored procedure to insert the data in SQL query 使用Select查询的存储过程在SMSS中返回结果,但不通过C#调用返回结果 - Stored procedure with Select query returns result in SMSS but not with C# call
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM