如何在本身是字符串的 T-SQL 查询中正确转义字符串

【问题标题】:How to properly escape strings inside an T-SQL query which itself a string如何在本身是字符串的 T-SQL 查询中正确转义字符串
【发布时间】:2016-04-25 21:09:35
【问题描述】:

我正在尝试创建一个 SQL 变量,该变量将保存一个我将通过调用

执行的 SQL 字符串 
EXEC(myVariable)

我有这个 SQL 脚本来创建一个存储过程,但是当我在 Management Studio 中执行它时,它会引发以下错误:

替换函数需要 3 个参数。

这是完整的脚本

IF NOT EXISTS(SELECT * FROM sys.objects 
              WHERE object_id = OBJECT_ID(N'SP_Test') AND type IN (N'P', N'SP_Test')) 
BEGIN
    DECLARE @CreateSP varchar(MAX) = 'CREATE  PROCEDURE [dbo].[SP_Test]       
 (@Destination varchar(100),      
 @Period varchar(8000),      
 @ItemType varchar(100),      
 @Nationality  varchar(100))   

AS      
BEGIN      
 SET NOCOUNT ON;      

 Declare @sql as nvarchar(4000)   

 set @sql = ''SELECT distinct  Country.Country_ID,Country.Name, Destination.Destination_ID, Destination.Destination_Name,
   MyTableName.Year, Region.Region_ID,  rtrim(Region.Region_Name) as Category,    
 Count(MyTableName.Allegation) as AllegCnt INTO ##MyTableName_Temp
 FROM MyTableName INNER JOIN Destination on MyTableName.Destination_ID = Destination.Destination_ID
 INNER JOIN Country on  MyTableName.Country_ID=Country.Country_ID
  INNER JOIN Region on MyTableName.Region_ID=Region.Region_ID 
  where 1=1 and Country.Lang_ID=1200 
  AND MyTableName.Country_ID NOT LIKE ''%N/A%'' AND MyTableName.Region_ID != 1''   

 if @Destination is not  null      
 set @sql = @sql + '' AND MyTableName.Destination_ID IN ('' +@Destination+'')''      


 if @Period is not null      
 set @sql = @sql + '' AND Year IN ('' +@Period+'')''      


 if @ItemType is not null      
 set @sql = @sql + '' AND MyTableName.Region_ID IN ('' +@ItemType+'')''      


 if @Nationality  is not null      
 set @sql = @sql + '' AND MyTableName.Country_ID IN ('''''' +replace(@Nationality,'','','''','''')+''''+'')''   


 set @sql = @sql + '' GROUP BY MyTableName.Year,Destination.Destination_Name, Destination.Destination_ID,Country.Country_ID,Country.Name,Region.Region_ID,  Region.Region_Name       
 ORDER BY Name desc''      

 execute(@sql)      

 EXECUTE sp_Arrange      
 ''SELECT Name as Origin, Category, Total FROM ##MyTableName_Temp'',      
 NULL,      
NULL,      
''Origin'',
 ''Total'',    
 ''SUM''         
  drop table ##MyTableName_Temp      
END'      
 EXEC(@CreateSP) 
END

看起来我没有正确转义脚本中的字符串。

【问题讨论】:

标签: sql-server tsql sql-server-2005


【解决方案1】: 
IF OBJECT_ID('dbo.SP_Test') IS NULL BEGIN

DECLARE @CreateSP varchar(MAX) = '
CREATE  PROCEDURE [dbo].[SP_Test]       
(
    @Destination varchar(100),      
    @Period varchar(8000),      
    @ItemType varchar(100),      
    @Nationality  varchar(100)
)   
AS BEGIN

 SET NOCOUNT ON;      

 Declare @sql nvarchar(4000)   

 set @sql = ''
    SELECT DISTINCT
        Country.Country_ID,Country.Name, Destination.Destination_ID, Destination.Destination_Name,
        MyTableName.Year, Region.Region_ID,  rtrim(Region.Region_Name) as Category,    
        COUNT(MyTableName.Allegation) as AllegCnt
    INTO ##MyTableName_Temp
    FROM MyTableName
    JOIN Destination on MyTableName.Destination_ID = Destination.Destination_ID
    JOIN Country on MyTableName.Country_ID=Country.Country_ID
    JOIN Region on MyTableName.Region_ID=Region.Region_ID 
    WHERE Country.Lang_ID=1200 
        AND MyTableName.Country_ID NOT LIKE ''''%N/A%''''
        AND MyTableName.Region_ID != 1''   

 if @Destination is not  null      
 set @sql = @sql + '' AND MyTableName.Destination_ID IN ('' +@Destination+'')''      

 if @Period is not null      
 set @sql = @sql + '' AND Year IN ('' +@Period+'')''      

 if @ItemType is not null      
 set @sql = @sql + '' AND MyTableName.Region_ID IN ('' +@ItemType+'')''      

 if @Nationality  is not null      
 set @sql = @sql + '' AND MyTableName.Country_ID IN ('''''' +replace(@Nationality,'','','''')+''''+'')''   

 set @sql = @sql + '' GROUP BY MyTableName.Year,Destination.Destination_Name, Destination.Destination_ID,Country.Country_ID,Country.Name,Region.Region_ID,  Region.Region_Name       
 ORDER BY Name desc''      

 EXEC(@sql)      

 EXEC sp_Arrange      
    ''SELECT Name as Origin, Category, Total FROM ##MyTableName_Temp'',      
    NULL,      
    NULL,      
    ''Origin'',
    ''Total'',    
    ''SUM''

  drop table ##MyTableName_Temp

END'      

    --PRINT @CreateSP

    EXEC(@CreateSP)

END

【讨论】:

    猜你喜欢
    • 2010-11-19
    • 2015-07-15
    • 1970-01-01
    • 2015-11-05
    • 2014-09-26
    • 1970-01-01
    • 2013-05-02
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode