[英]How to rectify this query in SQL Server 2005
我有一個查詢,它是兩個查詢的並集,結果查詢返回重復記錄,我不想重復記錄。 我嘗試使用DISTINCT
但仍得到相同的結果,有人可以幫助我解決此查詢嗎?
我還想知道此查詢對SQL注入是否安全...我將在下面粘貼我的查詢:
ALTER PROCEDURE [dbo].[sp_GetTrashListWithSorting] --'6dbf9a01-c88f-414d-8dd9-696749258cef', '6dbf9a01-c88f-414d-8dd9-696749258cef','DateTime ASC','0','30'
(
@p_CreatedBy UNIQUEIDENTIFIER,
@p_ToReceipientID UNIQUEIDENTIFIER,
@p_SortExpression NVARCHAR(100),
@p_StartIndex INT,
@p_MaxRows INT
)
AS
SET NOCOUNT ON;
IF LEN(@p_SortExpression) = 0
SET @p_SortExpression ='DateTime DESC'
DECLARE @Sql NVARCHAR(4000)
SET @sql = 'SELECT ID, DateTime, Subject, CreatedBy, ToReceipientID, Status
FROM (SELECT ID,
DateTime,
Subject,
CreatedBy,
ToReceipientID,
Status,
ROW_NUMBER() OVER(ORDER BY '+ @p_SortExpression +') AS Indexing
FROM (SELECT ID,
DateTime,
Subject,
CreatedBy,
ToReceipientID,
SenderStatus AS Status
FROM ComposeMail
WHERE (CreatedBy = @p)
AND (SenderStatus = 7 OR SenderStatus = 8)
UNION
SELECT ID,
DateTime,
Subject,
CreatedBy,
ToReceipientID,
ReceiverStatus As Status
FROM ComposeMail
WHERE (ToReceipientID = @p1)
AND (ReceiverStatus = 7 OR ReceiverStatus = 8)) AS NewDataTable
) AS IndexTable
WHERE
Indexing > @p2 AND Indexing<= (@p2+@p3)'
DECLARE @paramDefinition NVARCHAR(500)
SET @paramDefinition = N'@p UNIQUEIDENTIFIER ,@p1 UNIQUEIDENTIFIER, @p2 INT, @p3 INT'
EXEC sp_executesql @sql, @paramDefinition,
@p = @p_CreatedBy,
@p1 = @p_ToReceipientID,
@p2 = @p_StartIndex ,
@p3 = @p_MaxRows
1)我將您的SQL重新編寫為:
WITH trash_list AS (
SELECT cm.id,
cm.datetime,
cm.subject,
cm.createdby,
cm.toreceipientid,
cm.senderstatus AS Status
FROM COMPOSEMAIL cm
WHERE cm.createdBy = @p
AND cm.enderStatus IN(7, 8)
UNION
SELECT cm.id,
cm.datetime,
cm.subject,
cm.createdby,
cm.toreceipientid,
cm.receiverstatus AS Status
FROM COMPOSEMAIL cm
WHERE cm.toreceipientid = @p1
AND cm.receiverstatus IN (7, 8))
SELECT t.id,
t.datetime,
t.subject,
t.createdby,
t.toreceipientid,
t.status
FROM (SELECT tl.id,
tl.datetime,
tl.subject,
tl.createdby,
tl.toreceipientid,
tl.status,
ROW_NUMBER() OVER(ORDER BY '+ @p_SortExpression +') AS Indexing
FROM trash_list tl
GROUP BY tl.id,
tl.datetime,
tl.subject,
tl.createdby,
tl.toreceipientid,
tl.status) t
WHERE t.indexing BETWEEN @p2 AND (@p2+@p3)
...但是,如果仍然有重復項,請檢查WITH子句中SELECT / UNION中的邏輯。
在將其轉換為動態SQL之前,使其能夠像普通SQL一樣工作。
2)該查詢對於注入攻擊是不安全的,因為當用戶可以提供文本時,您不會處理單引號:
IF LEN(@p_SortExpression)=0
SET @p_SortExpression ='DateTime DESC'
...應該:
IF LEN(@p_SortExpression)=0
SET @p_SortExpression ='DateTime DESC'
ELSE
SET @p_SortExpression = REPLACE(@p_SortExpression, '''', '''''')
您不需要查詢和聯合。 代替這2行(每個子查詢一個)
WHERE (CreatedBy = @p)
WHERE (ToReceipientID = @p1)
做到這一點(在一個查詢中)
WHERE CreatedBy IN (@p, @p1)
像這樣:
SELECT
ID
, DateTime
, Subject
, CreatedBy
, ToReceipientID
, Status
FROM (
SELECT
ID
, DateTime
, Subject
, CreatedBy
, ToReceipientID
, SenderStatus AS Status
, ROW_NUMBER() OVER (ORDER BY ' + @p_SortExpression + ') AS Indexing
FROM ComposeMail
WHERE CreatedBy IN (@p, @p1)
AND (SenderStatus = 7
OR SenderStatus = 8)
) AS IndexTable
WHERE Indexing > @p2
AND Indexing <= (@p2 + @p3)
但是我不確定我是否理解您如何傳遞@p或@ p1的值
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.