我已经看到了许多动态where子句的示例,但没有一个覆盖我所遇到的问题。可能吗?
Create Procedure ManualParse2
(
@Variable1 AS nvarchar(MAX)
,@Variable2 AS nvarchar(MAX)
)
AS
Select *
From Faculty
Where @Variable1
Case
When @Variable1 = 'Department' THEN Department
When @Variable1 = 'Name' THEN Name
When @Variable1 = 'Gender' THEN Gender
When @Variable1 = 'FacultyID' THEN FacultyID
END
= @Variable2
EXEC ManualParse2 @Variable1 = 'Gender', @Variable2 = 'Male'
在两行之间阅读,但我可疑您真正想要的是:
CREATE PROC dbo.ManualParse2 @ColumnName sysname, @ColumnValue nvarchar(50) AS --You aren't going to have a department with 1 billion characters in it
--sysname is the correct data type for object names (it's a synonym for nvarchar(128) NOT NULL)
BEGIN
DECLARE @SQL nvarchar(MAX),
@CRLF nchar(2) = NCHAR(13) + NCHAR(10);
SET @SQL = N'SELECT *' + @CRLF + --This should reallty be a column list
N'FROM dbo.Faculty' + @CRLF +
N'WHERE ' + QUOTENAME(@ColumnName) + N' = @ColumnValue;';
--PRINT @SQL; --Unlikely to be needed for such a simple statement, but your debugging friend
EXEC sp_executesql @SQL, N'@ColumnValue nvarchar(50)', @ColumnValue;
END;
GO
您可以使用以下查询,但是您要考虑到SQL注入这种查询类型。
DROP TABLE IF EXISTS Faculty
CREATE TABLE Faculty
(Department VARCHAR(100),
Name VARCHAR(100),
Gender VARCHAR(100),
FacultyID INT)
INSERT INTO Faculty
VALUES ('Dep','Name','Gen',1)
GO
CREATE OR ALTER Procedure ManualParse2
(
@Variable1 AS nvarchar(MAX)
,@Variable2 AS nvarchar(MAX)
)
AS
DECLARE @SQLString AS VARCHAR(1000)
DECLARE @VarColumn AS VARCHAR(1000)
SELECT @VarColumn =
Case
When @Variable1 = 'Department' THEN 'Department'
When @Variable1 = 'Name' THEN 'Name'
When @Variable1 = 'Gender' THEN 'Gender'
When @Variable1 = 'FacultyID' THEN 'FacultyID'
END
SET @SQLString = 'Select * From Faculty Where ' + @VarColumn + ' = ' + '''' + @Variable2 + ''''
EXEC (@SQLString)
GO
EXEC ManualParse2 'Department' , 'Dep'