【问题标题】:Dynamic SQL and Executing SQL Text - 'Incorrect Syntax Near Column' and 'Unclosed Quotation Mark After the Character String'动态 SQL 和执行 SQL 文本 - “列附近的语法不正确”和“字符串后的未闭合引号”
【发布时间】:2016-03-14 17:43:31
【问题描述】:

我在找出语法错误和未闭合引号的位置时遇到问题。

当我运行这个查询时:

    query.CommandText = "DECLARE @sql varchar(max);"
    query.CommandText = query.CommandText + " DECLARE @cond varchar(max);"
    query.CommandText = query.CommandText + " SET @cond = replace(replace(@search, '''', ''''''),' ','"" and ""');"
    query.CommandText = query.CommandText + " SET @sql = 'SELECT distinct datawarehouse.dbo.orderformdump.itemno, basedescription,upc,CAST((SELECT [UNITPRICE] FROM PPPLTD.dbo.[ICPRICP] WHERE [ITEMNO] = replace([DataWarehouse].[dbo].[ORDERFORMDUMP].[ITEMNO],''-'','''') AND [PRICELIST] = (select top 1 priclist from PPPLTD.dbo.ARCUS where IDCUST = (select top 1 CUSTID from PPPLTD.dbo.WEBLOGINACCESS where [USER] = ''" + Session("Username") + "'')) and [CURRENCY] = ''CDN'' and DPRICETYPE = 1) AS DECIMAL(18,2)),caseqty, qty AS userquantity FROM [DataWarehouse].[dbo].[ORDERFORMDUMP] LEFT JOIN pppltd.dbo.weboeordd ON pppltd.dbo.WEBOEORDD.ITEMNO = REPLACE(datawarehouse.dbo.ORDERFORMDUMP.ITEMNO,''-'','''') and orduniq not in (select orduniq from pppltd.dbo.weboeordsubmit) and WEBOEORDD.ORDUNIQ in (select orduniq from pppltd.dbo.weboeordh where [user] = ''" + Session("Username") + "'') where (allowinbc = ''Yes'' or allowinab = ''Yes'') '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and (contains((basedescription, category, datawarehouse.dbo.orderformdump.description, itembrand, itemgroup, itemname, datawarehouse.dbo.orderformdump.itemno, itemsubtype, itemtype, subcat, upc), ''""' + @cond + '""'') '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'or (select top 1 1 from PPPLTD.dbo.ICITEMO where OPTFIELD like ''UPC%'' and VALUE like ''%' + replace(@search, '''', '''''') + '%'''"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and ITEMNO = DataWarehouse.dbo.ORDERFORMDUMP.itemno) is not null) order by DATAWAREHOUSE.dbo.ORDERFORMDUMP.BASEDESCRIPTION'"
    query.CommandText = query.CommandText + " EXECUTE (@sql)"

但是,当我添加行 OR REPLACE(ITEMBRAND, '''''', '''') LIKE ''%' + @search + '%'' 时,查询运行良好

它给了我错误:

“UPC”附近的语法不正确。

字符串'and ITEMNO = DataWarehouse.dbo.ORDERFORMDUMP.itemno) 后的非右引号不为空) order by DATAWAREHOUSE.dbo.ORDERFORMDUMP.BASEDESCRIPTION'。

这是给我带来麻烦的完整查询:

    query.CommandText = "DECLARE @sql varchar(max);"
    query.CommandText = query.CommandText + " DECLARE @cond varchar(max);"
    query.CommandText = query.CommandText + " SET @cond = replace(replace(@search, '''', ''''''),' ','"" and ""');"
    query.CommandText = query.CommandText + " SET @sql = 'SELECT distinct datawarehouse.dbo.orderformdump.itemno, basedescription,upc,CAST((SELECT [UNITPRICE] FROM PPPLTD.dbo.[ICPRICP] WHERE [ITEMNO] = replace([DataWarehouse].[dbo].[ORDERFORMDUMP].[ITEMNO],''-'','''') AND [PRICELIST] = (select top 1 priclist from PPPLTD.dbo.ARCUS where IDCUST = (select top 1 CUSTID from PPPLTD.dbo.WEBLOGINACCESS where [USER] = ''" + Session("Username") + "'')) and [CURRENCY] = ''CDN'' and DPRICETYPE = 1) AS DECIMAL(18,2)),caseqty, qty AS userquantity FROM [DataWarehouse].[dbo].[ORDERFORMDUMP] LEFT JOIN pppltd.dbo.weboeordd ON pppltd.dbo.WEBOEORDD.ITEMNO = REPLACE(datawarehouse.dbo.ORDERFORMDUMP.ITEMNO,''-'','''') and orduniq not in (select orduniq from pppltd.dbo.weboeordsubmit) and WEBOEORDD.ORDUNIQ in (select orduniq from pppltd.dbo.weboeordh where [user] = ''" + Session("Username") + "'') where (allowinbc = ''Yes'' or allowinab = ''Yes'') '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and (contains((basedescription, category, datawarehouse.dbo.orderformdump.description, itembrand, itemgroup, itemname, datawarehouse.dbo.orderformdump.itemno, itemsubtype, itemtype, subcat, upc), ''""' + @cond + '""'') OR REPLACE(ITEMBRAND, '''''', '''') LIKE ''%' + @search + '%'' '"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'or (select top 1 1 from PPPLTD.dbo.ICITEMO where OPTFIELD like ''UPC%'' and VALUE like ''%' + replace(@search, '''', '''''') + '%'''"
    query.CommandText = query.CommandText + " SET @sql = @sql + 'and ITEMNO = DataWarehouse.dbo.ORDERFORMDUMP.itemno) is not null) order by DATAWAREHOUSE.dbo.ORDERFORMDUMP.BASEDESCRIPTION'"
    query.CommandText = query.CommandText + " EXECUTE (@sql)"

我已尝试打印该语句,但仍然找不到错误所在。

我在第 6 行末尾添加新的 SQL 行。

谢谢。

【问题讨论】:

  • 在执行之前写出@SQL 并发布生成的SQL。我猜你会看到错误。
  • 您的 sql 字符串在单引号内,但随后您从带有双引号的字符串中转义以进行变量连接。当字符串用单引号括起来时,为什么要使用双引号?例如,它应该看起来像 where [USER] = ''' + Session("Username") + ''')) 这是两个单引号来生成单引号文字,然后是第三个单引号来结束字符串并连接你的 var,然后是三个单引号并返回到你的 sql..
  • 您所做的一切都不需要动态 sql。更少的双动态 sql(一次在 vb 中,一次在 SQL 中)。您应该改用参数化的 sql。它不仅实际上阻止了 sql 注入问题,您还可以搜索单引号。见stackoverflow.com/q/15537368/119477
  • Plus 1 for "Double Dynamic SQL" 我试图想一个好的术语,但我的脑海里一片空白。

标签: sql sql-server vb.net


【解决方案1】:

尝试将REPLACE(ITEMBRAND, '''''', '''') 更改为REPLACE(ITEMBRAND, '''''''', '''')

添加了另一个',所以不是返回REPLACE(ITEMBRAND ,''' ,''),而是返回REPLACE(ITEMBRAND ,'''' ,'')

【讨论】:

    猜你喜欢
    • 2021-04-19
    • 1970-01-01
    • 2015-03-20
    • 2011-02-10
    • 2023-03-25
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多