1. 首页
  2. 问答
  3. 存储过程给出的错误

存储过程给出的错误

2015-02-05 82 views
0

我正在尝试使用存储过程来显示表的结果。存储过程是给错误'Procedure expects parameter '@parameters' of type 'ntext/nchar/nvarchar'存储过程给出的错误

ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN','' 

    @PRODUCTID INT = NULL, 
    @PRODUCT_NAME VARCHAR(500) = NULL, 
    @PRODUCT_POINTS INT = NULL 

AS 
BEGIN 

SET NOCOUNT ON; 
    Declare @SQLQuery AS NVarchar(MAX) 
    Declare @ParamDefinition AS NVarchar(MAX) 
    Set @ParamDefinition = '@ID INT, 
    @NAME VARCHAR(500), 
    @POINTS INT' 

    Set @SQLQuery = 'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS FROM TBL_REDEEM_PRODUCT WHERE (1 = 1)'; 

    If @PRODUCTID Is Not Null 
    Set @SQLQuery = @SQLQuery + ' And (PRODUCT_ID ='+CAST(@PRODUCTID AS VARCHAR(500))  

    If @PRODUCT_NAME Is Not Null 
    Set @SQLQuery = @SQLQuery + ' And (PRODUCT_NAME =' + CAST(@PRODUCT_NAME AS VARCHAR(500))  

    If @PRODUCT_POINTS Is Not Null 
    Set @SQLQuery = @SQLQuery + ' And (PRODUCT_REDEEM_POINTS ='+ CAST(@PRODUCT_POINTS AS VARCHAR(500)) 



    Execute sp_Executesql  @SQLQuery, 
      @ID = @PRODUCTID , 
      @NAME = @PRODUCT_NAME , 
      @POINTS = @PRODUCT_POINTS; 

END

来源

2015-02-05 SANDEEP

+0

只需检查下面的参考文献。链接https://stackoverflow.com/questions/6904451/how-to-fix-the-error-procedure-expects-parameter-parameters-of-type-ntext-nc – 2017-08-22 08:47:53

回答

1

其中一个主要的原因,你会想sp_executesql的使用,因此不必须连接变量,是否可以使用参数化查询防止SQL注入攻击。

您连接参数只是杀死目的,并使您的查询易受SQL注入。请看下面正确使用动态sql的安全方法。

ALTER PROCEDURE COMNODE_PROC_SearchProduct --'','GUN','' 

    @PRODUCTID  INT   = NULL, 
    @PRODUCT_NAME VARCHAR(500) = NULL, 
    @PRODUCT_POINTS INT   = NULL 

AS 
BEGIN 

SET NOCOUNT ON; 
    Declare @SQLQuery AS NVarchar(MAX); 
    Declare @ParamDefinition AS NVarchar(MAX); 

    Set @ParamDefinition = N'@ID INT, @NAME VARCHAR(500), @POINTS INT'; 

    -- A much cleaner way to write this would be... 

    Set @SQLQuery = N'SELECT PRODUCT_ID,PRODUCT_NAME,PRODUCT_REDEEM_POINTS 
        FROM TBL_REDEEM_PRODUCT 
         WHERE (1 = 1)' 
       + CASE WHEN @PRODUCTID Is Not Null 
        THEN N' And PRODUCT_ID = @ID ' ELSE N' ' END  
       + CASE WHEN @PRODUCT_NAME Is Not Null 
        THEN N' And PRODUCT_NAME = @NAME ' ELSE N' ' END  
       + CASE WHEN @PRODUCT_POINTS Is Not Null 
        THEN N' And PRODUCT_REDEEM_POINTS = @POINTS' ELSE N' ' END  



    Execute sp_Executesql @SQLQuery 
         ,@ParamDefinition --<-- this was missing 
         ,@ID = @PRODUCTID 
         ,@NAME = @PRODUCT_NAME 
         ,@POINTS = @PRODUCT_POINTS; 

END

来源

2015-02-05 16:07:13

+0

对不起,这是一个错字检查再次,我离开了一个那里有额外的支架。 – 2015-02-05 16:20:46

+0

谢谢......我知道了...... – SANDEEP 2015-02-05 16:21:09

相关问题

 相关问题