【发布时间】:2020-05-07 19:36:43
【问题描述】:
ALTER PROCEDURE [dbo].[Create_Subjects]
@Subj_ID nvarchar(9)
AS
DECLARE @First3Digits nvarchar(3);
DECLARE @Result int;
-- Fetching the first 3 digits of the subject
SET @First3Digits = SUBSTRING(@Subj_ID,1,3);
-- Check if view is present or not
IF EXISTS (SELECT 1 FROM sys.views WHERE Name = @First3Digits)
BEGIN
PRINT 'View exists'
-- checking if the subject is present in the view
IF EXISTS (SELECT 1 FROM @First3Digits WHERE SubjectName = @Subj_ID)
BEGIN
SET @Result = 1;
END
ELSE
BEGIN
SET @Result = 0;
END
END
ELSE
BEGIN
-- Create a view as view doesn't exist
EXEC('create view' + @First3Digits
+ 'as
(select SubjectName from dbo.Subjects where SubjectName like '+@First3Digits+'%'+');')
SET @Result = 0;
PRINT 'view does not exist'
END
PRINT @First3Digits
GO;
在上面的代码中,我遇到了问题
IF EXISTS (SELECT 1 FROM @First3Digits WHERE SubjectName = @Subj_ID)
请帮我解决这个问题。
【问题讨论】:
-
如果你打算写动态sql,那么你需要看看你生成的语句。这样做,你会发现一个问题。
-
由于
@First3Digits不是表变量,但可能 包含表的名称,因此您需要将问题陈述设为动态SQL。尽管使用的三个字符似乎排除了太多乐趣,但在深入了解动态 SQL 兔子洞之前,请参阅 SQL Injection。
标签: sql-server tsql dynamic-sql