存储过程未按预期执行
[英]Stored Procedure not execute as expected
问题描述
I have written following stored procedure 
我写了以下存储过程
CREATE procedure [dbo].[findUSerID]
@Column_name varchar(50),
@TR_ID int
AS
DECLARE @sql nvarchar(max) = 'SELECT ' +@Column_name+ '
FROM Transfer_TB
WHERE TID =' + CAST(@TR_ID AS VARCHAR(10))
EXEC sp_executesql @sql
Table definition : 表定义:
CREATE TABLE [dbo].[Transfer_TB]
(
[TID] [int] NULL,
[ABC] [varchar](20) NULL,
[XYZ] [varchar](50) NULL,
[LMN] [varchar](50) NULL,
[PQR] [varchar](50) NULL,
)
But it does not return the proper output. 但是它不会返回正确的输出。
Like I have called it from my asp page code for that using n tier architecture. 就像我从我的asp页面代码中使用n层体系结构调用它一样。
public string check_validID(string branch,int trId)
{
string user_Br_ID;
clsBranch_TB objbr = new clsBranch_TB();
clsUserTB objuser = new clsUserTB();
objuser.User_Branch = 'XYZ';
objuser.Extra_Int = 32;
DataSet ds = clsAdminLogic.findUSerID(objuser);
if (ds.Tables[0].Rows.Count == 0)
{
user_Br_ID = clsAdminLogic.getno_of_Emp(objbr);
}
else
{
user_Br_ID = ds.Tables[0].Rows[0][0].ToString();
}
return user_Br_ID;
}
public static DataSet findUSerID(clsUserTB objuser)
{
DataSet ds = DataAccessLayer.clsLogs.findUSerID(objuser);
return ds;
}
public static DataSet findUSerID(clsUserTB objuser)
{
SqlParameter[] param = {
new SqlParameter("@TR_ID",objuser.Extra_Int),
new SqlParameter("@Column_name",objuser.User_Branch)
};
DataSet ds = DataAccessLayer.SqlHelper.FillDataNewRJ(
DataAccessLayer.clsDataAccessLayer.con.ConnectionString.ToString(),
CommandType.StoredProcedure, "findUSerID", (param)
);
return ds;
}
As it executes it, there is value present in database, but still it enters into if part of that function. 在执行它的过程中,数据库中存在值,但如果该函数的一部分仍会进入该值。
Please help me and guide if something wrong in above code 如果上面的代码有问题,请帮我指导
3 个解决方案
解决方案1
2 2015-05-08 11:02:11
Your stored procedure is prone to Sql-Injection. 您的存储过程容易出现Sql-Injection。 do the following to protect yourself against it. 请执行以下操作以保护自己免受侵害。
CREATE procedure [dbo].[findUSerID]
@Column_name SYSNAME
,@TR_ID INT
AS
BEGIN
SET NOCOUNT ON;
DECLARE @sql nvarchar(max);
SET @sql = N' SELECT ' + QUOTENAME(@Column_name)
+ N' FROM Transfer_TB '
+ N' WHERE TID = @TR_ID '
exec sp_executesql @sql
,N'@TR_ID int'
,@TR_ID
END
If your Stored procedure is returning a scalar value "UserID" as the name suggest you should be doing something like...... 如果您的存储过程正在返回标量值“ UserID”作为名称,则建议您应该执行类似的操作……
CREATE procedure [dbo].[findUSerID]
@Column_name SYSNAME
,@TR_ID INT
,@UserID INT OUTPUT
AS
BEGIN
SET NOCOUNT ON;
DECLARE @sql nvarchar(max);
SET @sql = N' SELECT @UserID = ' + QUOTENAME(@Column_name)
+ N' FROM Transfer_TB '
+ N' WHERE TID = @TR_ID '
exec sp_executesql @sql
,N'@TR_ID int , @UserID INT OUTPUT'
,@TR_ID
,@UserID OUTPUT
END
解决方案2
0 2015-05-08 13:25:33
there is value present in database, but still it enters into else part of that function
I assume this is the part you're talking about (there are 3 functions in that code) 我假设这是您正在谈论的部分(该代码中有3个函数)
if (ds.Tables[0].Rows.Count == 0)
{
user_Br_ID = clsAdminLogic.getno_of_Emp(objbr);
}
else
{
user_Br_ID = ds.Tables[0].Rows[0][0].ToString();
}
Yes. 是。 Your if goes into the else if the rows are not 0. It's doing exactly what its being told. if行不为0, if进入else它正在按照所告知的去做。 That basic logic error is the least of your worries though. 不过,该基本逻辑错误是您最少的担心。 You're storing branches as columns? 您是将分支存储为列吗?
解决方案3
0 已采纳 2015-05-09 06:31:48
i found solution for this problem, actually that particular record contains values instead of selective column that's why query returning the null value. 我找到了解决此问题的方法,实际上该特定记录包含值而不是选择性列,这就是查询返回空值的原因。 So i just have added one condition my stored procedure to fix it . 所以我只是在存储过程中添加了一个条件来解决它。
ALTER procedure [dbo].[findUSerID]
@Column_name varchar(50),
@TR_ID int
AS
DECLARE @sql nvarchar(max) = 'SELECT ' +@Column_name+ '
FROM Transfer_TB where TID =' + CAST(@TR_ID AS VARCHAR(10))+'
and '+@Column_name+'<> null'
exec sp_executesql @sql
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.