sp_executesql 与 'IN'陈述
我试图使用 sp_executesql 来防止 SQL 2005 中的 SQL 注入,我有一个像这样的简单查询:
SELECT * from table WHERE RegionCode in ('X101', 'B202')
但是,当我使用 sp_executesql 执行以下命令时,它不会返回任何内容。
Set @Cmd = N'SELECT * FROM table WHERE RegionCode in (@P1)'
SET @ParamDefinition = N'@P1 varchar(100)';
DECLARE @Code as nvarchar(100);
SET @Code = 'X101,B202'
EXECUTE sp_executesql @Cmd, @ParamDefinition, @P1 = @Code
这是我测试过的:
SET @Code = 'X101' <-- This works, it returns a single region
SET @Code = 'X101,B202' <--- Returns nothing
SET @Code = '''X101'',''B202''' <-- Returns nothing
请帮忙......我做错了什么?
I am trying to use sp_executesql to prevent SQL injection in SQL 2005, I have a simple query like this:
SELECT * from table WHERE RegionCode in ('X101', 'B202')
However, when I use sp_executesql to execute the following, it doesn't return anything.
Set @Cmd = N'SELECT * FROM table WHERE RegionCode in (@P1)'
SET @ParamDefinition = N'@P1 varchar(100)';
DECLARE @Code as nvarchar(100);
SET @Code = 'X101,B202'
EXECUTE sp_executesql @Cmd, @ParamDefinition, @P1 = @Code
The is what I have tested:
SET @Code = 'X101' <-- This works, it returns a single region
SET @Code = 'X101,B202' <--- Returns nothing
SET @Code = '''X101'',''B202''' <-- Returns nothing
Please help.... what did I do wrong?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
它不起作用的原因是因为 @P1 被视为一个单一值。
例如,当 @Code 为 X101,B202 时,查询将按以下方式运行:
SELECT * FROM 表 WHERE RegionCode IN ('X101,B202')
因此,它正在寻找具有 @P1 包含的值的 RegionCode。即使包含单引号,这也意味着它在 RegionCode 中搜索的值应该包含这些单引号。
您需要将 @Code 变量实际连接到 @Cmd sql 命令文本中,以便它按照您的想法工作:
但显然,这只会让您面临 SQL 注入,因此您需要非常小心如果您采取这种方法来确保防止这种情况发生。
如果您想要传递要搜索的动态值列表,则可以使用其他方法来处理这种情况。
查看我的博客上的示例< /a> 可以用于 SQL Server 2005 的 2 种方法。其中一种涉及以“Value1,Value2,Value3”形式传入 CSV 列表,然后使用用户定义的函数将其拆分为 TABLE 变量(有很多如果您快速谷歌或搜索此网站,就会提到这种方法)。拆分后,您可以将该 TABLE var 加入到您的主查询中。第二种方法是传入包含值的 XML blob 并使用 SQL Server 的内置 XML 功能。这两种方法都通过该链接中的性能指标进行了演示,并且它们不需要动态 SQL。
如果您使用的是 SQL Server 2008,则表值参数将是最佳选择 - 这是我在该链接中演示的第三种方法,效果最好。
The reason it doesn't work is because @P1 is treated as one, single value.
e.g. when @Code is X101,B202 then the query is just being run as:
SELECT * FROM Table WHERE RegionCode IN ('X101,B202')
So, it's looking for a RegionCode with the value that is contained with @P1. Even when you include single quotes, all that means is the value it searches for in RegionCode is expected to contain those single quotes.
You'd need to actually concatenate the @Code variable into the @Cmd sql command text in order for it to work the way you are thinking:
Obviously though, this just opens you up to SQL injection so you'd need to be very careful if you took this approach to make sure you guard against that.
There are alternative ways of dealing with this situation where you want to pass in a dynamic list of values to search for.
Check out the examples on my blog for 2 approaches you could use with SQL Server 2005. One involves passing in a CSV list in the form "Value1,Value2,Value3" which you then split out into a TABLE variable using a user defined function (there's a lot of mentions of this approach if you do a quick google or search of this site). Once split out, you then join that TABLE var in to your main query. The second approach is to pass in an XML blob containing the values and use the built-in XML functionality of SQL Server. Both these approaches are demonstrated with performance metrics in that link, and they require no dynamic SQL.
If you were using SQL Server 2008, Table Value Parameters would be the way to go - that's the 3rd approach I demonstrate in that link which comes out best.
SQL Server 中有多种分割字符串的方法。本文涵盖了几乎每种方法的优点和缺点:
"数组和列表SQL Server 2005 及更高版本,当表值参数无法分割时”作者:Erland Sommarskog
您需要创建一个拆分函数。这是分割函数的使用方式:
我更喜欢数字表方法在 TSQL 中分割字符串,但在 SQL Server 中分割字符串的方法有很多种,请参阅前面的链接,其中解释了每种方法的优点和缺点。
要使 Numbers Table 方法发挥作用,您需要执行此一次时间表设置,这将创建一个包含 1 到 10,000 行的
Numbers表:设置 Numbers 表后,创建此拆分函数:
您现在可以轻松地将 CSV 字符串拆分为表并连接它或根据需要使用它,甚至可以在动态 sql 中。以下是如何在您的问题的动态参数化查询中使用它:
这是一个要尝试的工作示例(必须首先设置数字表和分割函数):
输出:
There are many ways to split string in SQL Server. This article covers the PROs and CONs of just about every method:
"Arrays and Lists in SQL Server 2005 and Beyond, When Table Value Parameters Do Not Cut it" by Erland Sommarskog
You need to create a split function. This is how a split function can be used:
I prefer the number table approach to split a string in TSQL but there are numerous ways to split strings in SQL Server, see the previous link, which explains the PROs and CONs of each.
For the Numbers Table method to work, you need to do this one time table setup, which will create a table
Numbersthat contains rows from 1 to 10,000:Once the Numbers table is set up, create this split function:
You can now easily split a CSV string into a table and join on it or use it however you need, even from within dynamic sql. Here is how to use it in the dynamic parameterized query from your question:
HERE is a working sample to try out (must have the numbers table and split function setup first):
OUTPUT:
看来问题出在单个参数上。实际上,您最终会得到:
或者
也就是说,RegionCode 必须等于
'X101,B202'或''X101','B202''(完整的字符串)来工作。最好的选择是在这里使用两个参数:
如果您要在该列表中包含两个以上的项目,那么您可能需要采用另一条路线,可能使用临时表或表值参数。
It looks like the problem is the single parameter. In effect, you're ending up with:
or
That is, RegionCode must be equal to
'X101,B202'or''X101','B202''(the complete string) to work.You're best bet is to use two parameters here:
If you're going to have more than two items in that list though, you may want to go another route, probably with temp tables or table-valued parameters.