我正在编写一个存储过程
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[sp_wellbehavior]
(
@tuwi nvarchar(50),
@country varchar(50)
)
AS
BEGIN
SET NOCOUNT ON
declare @query as nvarchar(1800)
declare @SchemaName as varchar(100)
declare @well_name as nvarchar(100)
declare @number as INT
set @number = cast(PATINDEX('%[^0-9]%', @tuwi) as varchar)
set @SchemaName = case @country
when 'US' Then 'wellbehaviour_US'
when 'Canada' Then 'wellbehaviour_Canda'
when 'Australia' Then 'wellbehaviour_Australia'
when 'Japan' Then 'wellbehaviour_Japan'
when 'China' Then 'wellbehaviour_China'
END
set @well_name = (select well_name from well.well_mapping where index_id = @tuwi)
set @query = 'SELECT [date], [asset], [index_id], [well_name], [open], [gas], [oil], [water], [whp], [wht], [bhp],
[bht], [cluster], [flag], [display_cluster] FROM datascience.'+@SchemaName+ ' where well_view_id ='+@tuwi
Execute sp_executesql @query
END
存储过程创建成功,没有任何错误。但是当我尝试执行存储过程时
有以下声明
DECLARE @RC int
DECLARE @tuwi nvarchar(50)
DECLARE @country varchar(50)
-- TODO: Set parameter values here.
EXECUTE @RC = [dbo].[sp_wellbehavior]
@tuwi = 'Z303400', @country ='Japan'
GO
显示以下错误:
需要帮助来解决 SQL-Server 中的此错误
您的问题是
@tuwi
值未正确转义。但你不应该以任何方式注入它,而是将它作为适当的参数传递给 sp_executesql
。
此外:
nvarchar(max)
。sysname
。QUOTENAME
正确引用注入的名称。varchar
的长度。@number
和@well_name
的确切用途尚不清楚,因为它们没有被使用。PATINDEX
并没有做你认为的那样。CREATE OR ALTER PROCEDURE [dbo].[sp_wellbehavior]
@tuwi nvarchar(50),
@country varchar(50)
AS
SET NOCOUNT ON;
DECLARE
@query nvarchar(max),
@TableName sysname;
SET @TableName = case @country
when 'US' Then 'wellbehaviour_US'
when 'Canada' Then 'wellbehaviour_Canda'
when 'Australia' Then 'wellbehaviour_Australia'
when 'Japan' Then 'wellbehaviour_Japan'
when 'China' Then 'wellbehaviour_China'
END;
SET @query = '
SELECT
date, asset, index_id, well_name,
open, gas, oil, water, whp,
wht, bhp, bht, cluster, flag, display_cluster
FROM datascience.' + QUOTENAME(@SchemaName) + '
where well_view_id = @tuwi;
';
EXEC sp_executesql @query,
N'@tuwi nvarchar(50)',
@tuwi = @tuwi;