Multi values passing through a single parameter - sql

ALTER PROCEDURE Example
(#BranchCode AS INT,
#Department VARCHAR(8000),
#DateFrom AS DATETIME,
#DateTo AS DATETIME,
#TransactionNumber AS NVARCHAR(30)
-- #Delimiter char(1)
)
AS
BEGIN
SET NOCOUNT ON;
DECLARE #Sql NVARCHAR(MAX)
SET #Sql = 'Select
Mast.Branch_code, Mast.purerq_id as purerq_id,
Max(Mast.purreq_date) as purreq_date, Max(Mast.Dept_code) as Dept_code,
Max(Mast.purreq_desc) as purreq_desc,
Sum(Det.purreq_qty2) as purreq_qty2,
Det.Item_Code, Max(Mast.purreq_docecNo) as DocNo,
Sum(IsNull(Det.purreq_qty1,0)) as purreq_qty1,
IsNull(Det.purerq_TranNo,'') as purerq_TranNo,
IsNull(Max(Mast.purerq_adduserid),'') as Adduserid,
Max(Det.ItemPacking_Code) as ItemPacking_Code
From
tbl_purreqMaster Mast, tbl_purreq_detail1 Det
Where
Mast.Branch_code = Det.Branch_code And
Mast.purerq_id = Det.purerq_id And
Mast.purreq_date Between ' + #DateFrom + ' And ' + #DateTo + ' And
Mast.Dept_code IN (' + REPLACE( #Department, '''','') + ')
Mast.Branch_code = ' + CAST(#BranchCode AS VARCHAR) + ' AND
Mast.purreq_docecNo =' + #TransactionNumber + '
Group By
Mast.Branch_code, Mast.purerq_id, Det.Item_Code, Det.purerq_TranNo'
PRINT #Sql
--exec sp_executesql #Sql
END
GO
EXEC Example 1,'7,8','2017-10-01 00:00:00','2017-10-30 00:00:00','ALIA/PURQGEN/0000001'
This query shows this error
Msg 241, Level 16, State 1, Procedure Example, Line 18
Conversion failed when converting date and/or time from character string.
However I have tried replace and cast functions to resolve this but I found no solution

I would use the #params that go along with sp_executesql for the parameters that do not need to be concatenated to your executed string. I would also recommend some more processing on #Department to prevent sql injection.
ALTER PROCEDURE Example
(#BranchCode AS INT,
#Department VARCHAR(8000),
#DateFrom AS DATETIME,
#DateTo AS DATETIME,
#TransactionNumber AS NVARCHAR(30)
-- #Delimiter char(1)
)
AS
BEGIN
SET NOCOUNT ON;
DECLARE #Sql NVARCHAR(MAX), #Params nvarchar(8000);
set #Params = '#BranchCode INT, #DateFrom DATETIME, #DateTo DATETIME, #TransactionNumber NVARCHAR(30)'
SET #Sql = 'Select
Mast.Branch_code, Mast.purerq_id as purerq_id,
Max(Mast.purreq_date) as purreq_date, Max(Mast.Dept_code) as Dept_code,
Max(Mast.purreq_desc) as purreq_desc,
Sum(Det.purreq_qty2) as purreq_qty2,
Det.Item_Code, Max(Mast.purreq_docecNo) as DocNo,
Sum(IsNull(Det.purreq_qty1,0)) as purreq_qty1,
IsNull(Det.purerq_TranNo,'') as purerq_TranNo,
IsNull(Max(Mast.purerq_adduserid),'') as Adduserid,
Max(Det.ItemPacking_Code) as ItemPacking_Code
From tbl_purreqMaster Mast
inner join tbl_purreq_detail1 Det
on Mast.Branch_code = Det.Branch_code
and Mast.purerq_id = Det.purerq_id
Where Mast.purreq_date Between #DateFrom and #DateTo
and Mast.Dept_code IN (' + REPLACE( #Department, '''','') + ')
and Mast.Branch_code = #BranchCode
and Mast.purreq_docecNo = #TransactionNumber
Group By
Mast.Branch_code, Mast.purerq_id, Det.Item_Code, Det.purerq_TranNo'
PRINT #Sql
--exec sp_executesql #Sql, #Params, #BranchCode, #DateFrom, #DateTo, #TransactionNumber
END
The best approach in SQL Server 2008 would be using table valued parameters for #DepartmentId:
Table-Valued Parameters - msdn
User-Defined Table Types - msdn
SQL Server 2008 Table-Valued Parameters and C# Custom Iterators: A Match Made In Heaven! - Leonard Lobel
Table Value Parameter Use With C# - Jignesh Trivedi
Using Table-Valued Parameters in SQL Server and .NET - Erland Sommarskog

SQLZim's solution should work. But since he doesn't mention it, I will point out that the reason for the error is this line:
Mast.purreq_date Between ' + #DateFrom + ' And ' + #DateTo + ' And
You need to CAST/CONVERT your datetime variables to nvarchar, and surround them with single-quotes.

Related

Conversion failed when converting date from character string in a stored procedure

I am facing an issue with running a stored procedure with a Date parameter. I have 2 parameters in a stored procedure which returns a result set from a table. In the table name is of type nvarchar and dateclient is a date.
The value of the parameters are coming from an user interface.
ALTER PROCEDURE [dbo].[NAME_SEARCH]
#name nvarchar(255),
#dateclient datetime
AS
BEGIN
DECLARE #parsed_string nvarchar(max)
EXEC parsing_coi_input #name, #parsed_string OUTPUT
PRINT #parsed_string
SET #name = #parsed_string
DECLARE
#BaseQuery nvarchar(max) = 'SELECT Id, name, date_client
FROM Client
INNER JOIN CONTAINSTABLE (Client, ame,'''+ #name + ''') as name_key ON ID = name_key.[KEY]'
DECLARE
#OrderByQuery nvarchar(max) = ' ORDER BY name_key.RANK'
DECLARE
#OrderDesc nvarchar(max) =' DESC'
BEGIN
SET NOCOUNT ON;
SET #BaseQuery = #BaseQuery + '
INNER JOIN CONTAINSTABLE(Client, date_client,'''+ #dateclient +''') AS
date_clientkey ON ID = date_clientkey.[KEY] WHERE date_client_matter_open >= '+ #dateclientmatter
+''
SET #OrderByQuery = #OrderByQuery + ',date_client_key.RANK'
END
DECLARE #fullQuery nvarchar(max)= #BaseQuery + #OrderByQuery + #OrderDesc
EXECUTE sp_executesql #fullQuery
END
I am executing:
EXEC [dbo].[NAME_SEARCH] 'MGeolo','2009-04-05'
But I get this error:
Conversion failed when converting date and/or time from character string.
Any suggestions how to handle this?
You are missing the ' characters around your date when the SQL script is generated and a cast from datetime to varchar.
You should do like:
BEGIN
SET NOCOUNT ON;
SET #BaseQuery = #BaseQuery + '
INNER JOIN CONTAINSTABLE(Client, date_client,'''+ cast(#dateclient as varchar(200)) +''') AS
date_clientkey ON ID = date_clientkey.[KEY] WHERE date_client_matter_open >= '''+ cast(#dateclientmatter as varchar(200)) +''''
SET #OrderByQuery = #OrderByQuery + ',date_client_key.RANK'
It is probably a typo but the #dateclientmatter is undeclared because in the header you have only #dateclient.

Dynamic Sp_Executesql failing on datetime conversion error

I have a very simple dynamic SQL query that specifically needs to be called using sp_executesql with parameters. This query works fine in regular dynamic SQL, but fails when using sp_executesql on a conversion error.
I have tried many combinations of dynamic SQL, but none of them seem to work specifically for datetime conversions related to sp_executesql.
declare
#sql_nvarchar nvarchar(max),
#datetime datetime = GETDATE(),
#sqlparams nvarchar(max),
#tablename nvarchar(max) = 'SomeTableName'
Set #sql_nvarchar =
N'
Select *
from ' + #tablename + '
where Date > ''' + convert(nvarchar(23), #datetime, 101) + ''' '
Set #sqlparams =
N'
#datetime datetime,
#tablename nvarchar(max)
'
EXEC(#sql_nvarchar)
EXEC [sp_executesql] #sql_nvarchar,#sqlparams, #datetime, #tablename
The first exec correctly returns the desired query, the second EXEC throws an error: 'Error converting data type nvarchar(max) to datetime.'
You cannot parameterize an identifier, such as a table name. So, phrase this as:
Set #sql_nvarchar = N'
Select *
from ' + #tablename + '
where Date > #datetime
';
Set #sqlparams = N'#datetime datetime'
exec sp_executesql #sql_nvarchar, #sqlparams,
#datetime=#datetime

Dynamic SQL Server stored procedure with table name as input param

I have the following stored procedure
CREATE PROCEDURE [dbo].[Insert]
#Service varchar(max),
#TableName varchar(100),
#Query varchar(250),
#Results varchar(max),
#CreatedDate datetime,
#ExpirationDate datetime
AS
BEGIN
SET NOCOUNT ON;
BEGIN TRANSACTION
DECLARE #SQL NVARCHAR(MAX), #ParmDefinition NVARCHAR(MAX)
DECLARE #q1 VARCHAR(MAX), #rez1 VARCHAR(MAX),
#date1 DATETIME, #date2 DATETIME
DECLARE #tablename VARCHAR(MAX) = #Service + '.' + #TableName
SET #SQL = N'if not EXISTS (select #q from ' + #tablename + ' where Query = #q) insert into ' + #tablename + ' values(#q, #rez, #date1, #date2)'
SET #ParmDefinition = N'#q varchar(max), #rez varchar(max),
#date1 datetime, #date2 datetime'
EXECUTE sp_executeSQL -- Dynamic T-SQL
#SQL,
#ParmDefinition,
#q = #Query,
#rez = #Results,
#date1= #CreatedDate,
#date2 = #ExpirationDate
COMMIT TRANSACTION
END
When I try to execute it, it doesn't insert anything, 0 rows
If I execute the code without the stored procedure, like a single query it inserts
Am I missing something?
There are a lot of things you have done in your question which doesnt make any sense to me, Why do you need to declare all these variables inside your procedure.
Yes true you are using parametrised query to protect yourself against sql injection attack, yet you left a hole by concatenating the object names (Table and database name), yes you will need to concatenate them but you can use QUOTENAME() function around them passed parameters and enforce sql server to put square brackets around these parameters and force sql server to treat them as nothing else but object names.
And Selecting a variable in IF EXISTS not make much sense. Select 1 which returns true if a row is found with matching criteria , and if no row is found it will simply insert a row.
Only declare variables that needs to declared, otherwise this make it look like a mess and difficult to debug. As they say Keep it simple :)
Also use appropriate data types for your parameters, #Service I believe is your database name why does it need to be a VARCHAR(MAX) data type, use the data type specific to store Sql Server Object names SYSNAME.
CREATE PROCEDURE [dbo].[Insert]
#Service SYSNAME,
#TableName SYSNAME,
#Query varchar(250),
#Results varchar(max),
#CreatedDate datetime,
#ExpirationDate datetime
AS
BEGIN
SET NOCOUNT ON;
BEGIN TRANSACTION
DECLARE #SQL NVARCHAR(MAX), #ParmDefinition NVARCHAR(MAX)
SET #SQL = N'IF NOT EXISTS (select 1 from ' + QUOTENAME(#Service) + '.' + QUOTENAME(#TableName)
+ N' where Query = #q) '
+ N'insert into ' + QUOTENAME(#Service) + '.' + QUOTENAME(#TableName)
+ N' values(#q, #rez, #date1, #date2)'
SET #ParmDefinition = N'#q varchar(250), #rez varchar(max),
#date1 datetime, #date2 datetime'
EXECUTE sp_executeSQL #SQL
,#ParmDefinition
,#q = #Query
,#rez = #Results
,#date1= #CreatedDate
,#date2 = #ExpirationDate
COMMIT TRANSACTION
END

Report Builder paramter dropdown to choose column name

I have a parameter with the available values as column names and a I am using that parameter in the sql query
WHERE ((#ColumnName) BETWEEN (#StartDate) AND (#EndDate))
AND (schema.table.column_name LIKE (#Number))
When i try to run the report i get a cannot convert date/time from characters
If i remove the #ColumnName parameter the report runs fine but i want the ability to choose a column to search the date against.
If you want pass Column name dynamically you will need to use a stored procedure to do this using dynamic sql something like this....
CREATE PROCEDURE Get_Data
#ColumnName1 SYSNAME,
#ColumnName2 SYSNAME,
#StartDate DATETIME,
#EndDate DATETIME,
#Number VARCHAR(100)
AS
BEGIN
SET NOCOUNT ON;
DECLARE #SQL NVARCHAR(MAX);
SET #SQL = N'SELECT * FROM TableName'
+ N'WHERE ' + QUOTENAME(#ColumnName1) + N' BETWEEN #StartDate AND #EndDate '
+ N' AND ' + QUOTENAME(#ColumnName2) + N' LIKE ''#Number'' '
EXECUTE sp_executesql #SQL
,N'#StartDate DATETIME, #EndDate DATETIME, #Number VARCHAR(100)'
,#StartDate
,#EndDate
,#Number
END

Compare date in stored procedure in an exec statement

I have a stored procedure that looks like this:
create stored procedure aaa
#columnName nvarchar(10),
#comparisonParam nvarchar(10),
#val nvarchar(100)
as
declare #date date
set #date = convert(#val, date)
exec('select * from Sheep where ' + #columnName + #comparisonParam + #date )
When actually the query is supposed to be like this:
select * from Sheep where birth_date = 12-12-2000
When I run the procedure it doesn't work with date value, but with string and int it works.
The date value must be quoted.
On a side note, I'd warn against doing this. If you need to build up dynamic sql you need to consider the risks such as: sql injection attacks, bad syntax, invalid semantics etc.
Consider using an existing component to build the query. A few examples:
.NET LINQ (to SQL/Entities) http://msdn.microsoft.com/en-us/library/bb397926.aspx
.NET SqlCommandBuilder http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommandbuilder.aspx
See Best way of constructing dynamic sql queries in C#/.NET3.5?
Your date literal needs to be surrounded in single quotes (I use CHAR(39) usually since it is easier to read and doesn't require escaping). Otherwise you are saying:
WHERE birth_date = (12) - (12) - (2000)
Which resolves to:
WHERE birth_date = -2000
Which resolves to DATEADD(DAY, -2000, '1900-01-01') or:
WHERE birth_date = '1894-07-11'
This is probably not going to yield the results you want.
With typical SQL injection warnings in place of course, and assuming that #columnName is always a string or date/time column, here is how I would re-write your stored procedure (though I would probably try to avoid the dynamic SQL altogether if I could).
ALTER PROCEDURE dbo.aaa
#columnName NVARCHAR(10),
#comparisonParam NVARCHAR(10),
#val NVARCHAR(100)
AS
BEGIN
SET NOCOUNT ON;
DECLARE #sql NVARCHAR(MAX);
SET #sql = N'SELECT * FROM dbo.Sheep WHERE '
+ QUOTENAME(#columnName) + #comparisonParam + CHAR(39)
+ REPLACE(#val, CHAR(39), CHAR(39) + CHAR(39))
+ CHAR(39);
EXEC sp_executesql #sql;
END
GO
In order to thwart potential issues you may want to add validation for columns and data types, and ensure that the operation is one you expect. e.g.
CREATE PROCEDURE dbo.bbb
#columnName NVARCHAR(10),
#comparisonParam NVARCHAR(10),
#val NVARCHAR(100)
AS
BEGIN
SET NOCOUNT ON;
DECLARE #delimiter CHAR(1);
SELECT #delimiter = CASE
WHEN [system_type_id] IN
(104,48,52,56,127,59,60,62,106,108,122) THEN '' -- numeric
WHEN [system_type_id] IN
(35,40,41,42,43,58,61,99,167,175,231,239) THEN CHAR(39) -- string
END FROM sys.columns WHERE [object_id] = OBJECT_ID(N'dbo.Sheep')
AND name = #columnName;
IF #delimiter IS NULL
BEGIN
RAISERROR('Column ''%s'' was not found or an unexpected data type.', 11, 1,
#columnName);
RETURN;
END
IF #comparisonParam NOT IN (N'=', N'>=', N'<=', N'<', N'>', N'LIKE')
BEGIN
RAISERROR('Comparison param ''%s'' was not valid.', 11, 1, #comparisonParam);
RETURN;
END
DECLARE #sql NVARCHAR(MAX);
SET #sql = N'SELECT * FROM dbo.Sheep WHERE '
+ QUOTENAME(#columnName) + ' ' + #comparisonParam + ' '
+ #delimiter + REPLACE(#val, CHAR(39), CHAR(39) + CHAR(39))
+ #delimiter;
EXEC sp_executesql #sql;
END
GO
Now make sure you use an unambiguous date format for your string literals. 12-12-2000 is not a good choice. 20001212 is much better.
There are possibly some ways to do this without dynamic SQL - I gave a very simplified answer here. This may be feasible depending on the data types, the number of potential columns, and the number of operations you want to support.
create stored procedure aaa
#columnName nvarchar(10),
#comparisonParam nvarchar(10),
#val nvarchar(100)
as
declare #date date
set #date = convert(#val, date)
exec('select * from Sheep where ' + #columnName + #comparisonParam + #date )
Build your dynamic SQL using a typed date parameter. Use sp_executesql which allows to pass parameter definitions and parameter values to the embedded SQL:
create procedure aaa
#columnName nvarchar(10),
#comparisonParam nvarchar(10),
#val nvarchar(100)
as
declare #date date, #sql nvarchar(max);
set #date = convert(#val, date);
-- Note how #date is a *variable* in the generated SQL:
set #sql =N'select * from Sheep where ' +
quotename(#columnName) + #comparisonParam + N'#date';
-- Use sp_executesql and define the type and value of the variable
exec sp_executesql #sql, N'#date date', #date;
You need to create table valued function for this rather than creating a stored procedure.
You can use any table valued function like
SELECT * from dbo.CallMyFunction(parameter1, parameter2
eg.
CREATE FUNCTION Sales.ufn_SalesByStore (#storeid int)
RETURNS TABLE
AS
RETURN
(
SELECT P.ProductID, P.Name, SUM(SD.LineTotal) AS 'Total'
FROM Production.Product AS P
JOIN Sales.SalesOrderDetail AS SD ON SD.ProductID = P.ProductID
JOIN Sales.SalesOrderHeader AS SH ON SH.SalesOrderID = SD.SalesOrderID
JOIN Sales.Customer AS C ON SH.CustomerID = C.CustomerID
WHERE C.StoreID = #storeid
GROUP BY P.ProductID, P.Name
);
GO
See this for reference http://msdn.microsoft.com/en-us/library/ms191165(v=sql.105).aspx
EDIT
Instead of using dynamic sql try giving a thought on
SELECT * FROM
FROM [dbo].[Person]
WHERE ([PersonID] = #PersonID
OR #AreaID IS NULL
)
AND (([Code] BETWEEN #Code AND CHAR(255))
OR #Code IS NULL
)
AND (([Name] BETWEEN #Name AND CHAR(255))
OR #Name IS NULL
)
AND (([Notes] BETWEEN #Notes AND CHAR(255))
OR #Notes IS NULL
)