动态 SQL 与参数化查询
该存储过程被视为动态 SQL 还是参数化查询?
CREATE PROCEDURE [dbo].[my_dodgy_sp]
@varchar1 varchar(50),
@varchar2 varchar(50)
AS
BEGIN
...
EXEC [dbo].[my_really_special_sp] @varchar1 @varchar2;
END
额外的巧克力甜甜圈,上面有樱桃,如果你能告诉我这是否是动态/参数化的:
CREATE PROCEDURE [dbo].[my_super_dodgy_sp]
@varchar1 varchar(50),
@varchar2 varchar(50),
@stored_procedure_name sysname
AS
BEGIN
...
EXEC @stored_procedure_name @varchar1 @varchar2;
END
Is this stored procedure considered Dynamic SQL or a Parameterised query?
CREATE PROCEDURE [dbo].[my_dodgy_sp]
@varchar1 varchar(50),
@varchar2 varchar(50)
AS
BEGIN
...
EXEC [dbo].[my_really_special_sp] @varchar1 @varchar2;
END
Extra chocolate donuts with cherries on top if you can tell me whether this is Dynamic / Parameterised:
CREATE PROCEDURE [dbo].[my_super_dodgy_sp]
@varchar1 varchar(50),
@varchar2 varchar(50),
@stored_procedure_name sysname
AS
BEGIN
...
EXEC @stored_procedure_name @varchar1 @varchar2;
END
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不是参数化查询,它是存储过程的正常调用。
如果这会导致参数化查询,则取决于
[my_really_special_sp]的内容。请提供更多信息,我想为您提供更多帮助。
Is not a Parameterised query, it is a normal call of a stored procedure.
It's depend on the content of
[my_really_special_sp]if this will result in a Parameterised query.Please provide more information, i would like to help you much more.
“动态 SQL”是指以编程方式构建 SQL 查询字符串。例如添加连接、构建 where 子句等。
参数化查询是包含变量的 SQL 查询字符串,其值与 SQL 查询字符串分开提供。
您的两个示例都不符合这些描述,因为它们都是存储过程内的简单 T-SQL 调用。
这可能看起来很迂腐,但如果您的应用程序调用
'EXEC [dbo].[my_really_special_sp] @varchar1 @varchar2',那么那就是一个参数化查询。如果您的 SP 调用 sp_executesql 'EXEC [dbo].[my_really_special_sp] @var1 @var2', @var1 = 1, @var2 = 10 那么...
sp_executesql是T-SQL 调用'EXEC [dbo].[my_really_special_sp] @var1 @var2'是您的参数化查询@var1 = 1, @var2 = 10是你的参数重要的一点是,您的示例是 SP 中预编译的语句。我试图解释的例子是传递给 SQL Server 进行解析、编译和执行的字符串。
如果该字符串是通过编程方式逐段组成的,那么它就是动态 sql。
如果该字符串包含单独提供的变量引用,则它被参数化。
我希望这会有所帮助,尽管我知道这可能看起来很主观。
至于你的编程风格。您的第二个 SP 有一个小“漏洞”,因为如果用户有权访问它,他们就可以访问具有相同签名的所有其他 SP,即使该用户本身通常没有访问权限。这可能是故意的,并且/或者您可以验证 @spname 参数以关闭漏洞。除此之外,我看不出有什么可挑剔的。
"Dynamic SQL" refers to building up a SQL Query String programatically. Such as adding joins, building up a where clause, etc.
Parameterised Queries are SQL Query Strings that contain variables, the values of which are supplied separately from the SQL Query String.
Neither of your examples fit these descriptions because they are both simple T-SQL calls within stored procedures.
It may seem pedantic, but if your application calls
'EXEC [dbo].[my_really_special_sp] @varchar1 @varchar2', then that is a parameterised query.And if your SP calls
sp_executesql 'EXEC [dbo].[my_really_special_sp] @var1 @var2', @var1 = 1, @var2 = 10then...sp_executesqlis T-SQL call'EXEC [dbo].[my_really_special_sp] @var1 @var2'is your parameterised query@var1 = 1, @var2 = 10are your parametersThe important point is that your examples are pre-compiled statements in an SP. The examples I tried to explain are strings that are passed to the SQL Server to parse, compile and execute.
If that string is made up programatically piece by piece, it's dynamic sql.
If that string contains variable references that are supplied separately, it is parameterised.
I hope that helps, though I can see that it may seem subjective.
As for your programming style. Your second SP has a minor 'vulnerability', in that if a user has access to it, they have access to all other SPs with the same signature, even if that user doesn't natively normally have access. This may be intentional, and/or you may validate the @spname parameter to close the vulnerability. Other than that, there is nothing I can see that can be faulted.