我正在制作一个接受动态过滤的存储过程,我的问题是我需要使其保持尽可能的灵活性。
ALTER PROCEDURE astp_test
@WhereClause NVARCHAR(max) = NULL
AS
DECLARE @FilteredResults AS TABLE (testId int, testfield datetime2)
DECLARE @sql AS NVARCHAR(MAX) = N'SELECT testId , testfield
FROM aviw_test
WHERE IsOpen = 1 AND IsLatesInsert = 1
AND testStepNo = 7
AND test2 IS NULL
AND (testfielddate IS NULL OR testfielddate2 < GETUTCDATE())
AND Domain IN (SELECT Domain FROM project WITH (NOLOCK) WHERE Status = ''Active'')' +
CASE WHEN @WhereClause IS NOT NULL
THEN N' AND ' + @WhereClause ELSE N''
END
INSERT INTO @FilteredResults
EXEC sys.sp_executesql @stmt = @sql;
我想以这种方式确保@WhereClause
输入的安全,因为有一些复选框发送这样的内容:"AND testDatePick = '2019-10-10' AND testStage = 'InProgress' AND testArea = 'London' "
。那么最好的方法是什么?