I've written simple stored procedure and executing using sp_executesql to tackle with quotation error and sql injection as well but when i pass a single quote in parameter still it shows me Unclosed quotation mark after the character string ''.
alter procedure dbo.quote_test
(
#quoteid int
)
as
begin
declare #sqlstring as nvarchar(max)
declare #paramdef as nvarchar(100)
set #sqlstring = 'select * from quote where quote_id = #quoteid';
set #paramdef = N'#quoteid int';
exec sp_executesql #sqlstring,#paramdef, #quoteid
end
exec dbo.quote_test 10'
I'm not sure what you are trying to accomplish, but the stored procedure takes an integer for an argument. So, this will work:
exec dbo.quote_test 10
This should not work:
exec dbo.quote_test 'abc'
Could be due to your EXEC statement that has the quote.
exec dbo.quote_test 10'
Related
Little bit of background information:
I have a stored procedure, lets call it SP1. SP1 calls another stored procedure: SP2. SP2 calls another stored procedure: SP3.
Now, the first stored procedure (SP1) returns a resultset. The resultset are parameters for SP2, this is done with a cursor.
Because of these nested inserts and executes, i have to use an openrowset dynamic SQL string to execute my stored procedures.
This is my query:
DECLARE #P_Source varchar(255) = 'test'
DECLARE #P_Location varchar(255) = 'test'
DECLARE #sql varchar(max)
SET #sql = 'INSERT INTO #tmp
SELECT *
FROM OPENROWSET (
''SQLOLEDB'',
''Server=(local);TRUSTED_CONNECTION=YES;'',
''set fmtonly off
EXECUTE dbo.SP1
#P_Source = '''''+#P_Source+'''''''
,#P_Location = '''''+#P_Location+'''''''
)'
exec(#sql)
(I have ofcourse created the table #tmp). I have more parameters to be exact (12), all varchar, but I left them out to not make it messy.
I'm getting the following error
Msg 102, Level 15, State 1, Line 12
Incorrect syntax near ','.
am I using the openrowset command in the correct way with the corresponding procedure parameters?
All those quotes get confusing. By doing select #sql prior to the exec you can see what SQL Server is going to try and do. Based on the query you've provided #sql currently contains:
INSERT INTO #tmp
SELECT *
FROM OPENROWSET (
'SQLOLEDB',
'Server=(local);TRUSTED_CONNECTION=YES;',
'set fmtonly off
EXECUTE dbo.SP1
#P_Source = ''test'''
,#P_Location = ''test'''
)
To help you build up to the final solution you could try having a dummy SP1 that takes two numeric parameters - that'll eliminate some quotes for you to worry about. Once you have that working you can proceed to add string parameters until you get what you want.
For sql linked server use OPENQUERY
https://learn.microsoft.com/en-us/sql/t-sql/functions/openquery-transact-sql
and sp_executesql
DECLARE #P_Source varchar(255) = 'test'
DECLARE #P_Location varchar(255) = 'test'
DECLARE #SQL NVARCHAR(MAX) = '',
#QUERY NVARCHAR(MAX) = '',
#Params NVARCHAR(500) = N'DECLARE #P_Source VARCHAR(255),#P_Location VARCHAR(255); ',
#ParamsValue NVARCHAR(500) = N'SELECT #P_Source = '''''+#P_Source+''''', #P_Location = '''''+#P_Location+''''';'
SET #Query = N'set fmtonly off; EXECUTE dbo.SP1 #P_Source, #P_Location'
SET #SQL = 'SELECT * FROM OPENQUERY([Local],'' sys.sp_executesql ' + #Params + #ParamsValue + #Query +''' )'
INSERT INTO #Tmp
EXEC (#SQL)
I have a SQL query stored in a table that contains parameter names. I need to know how to execute it properly in a stored procedure.
This is my SQL code in the procedure
PROCEDURE [spMassUpdateSKUs]
#SKU AS NVARCHAR(20)
,#FIELD AS NVARCHAR(50)
,#VALUE AS NVARCHAR(50)
,#RESULT as Int = Null Output
AS
BEGIN
IF EXISTS(SELECT CODENUMBER FROM INVENTORY_MASTER WHERE CODENUMBER=#SKU)
BEGIN
DECLARE #SQLQUERY AS NVARCHAR(50)
SET #SQLQUERY=(SELECT SQLUPDATE FROM MASS_UPDATE WHERE DROPDOWNLABEL=#FIELD)
EXEC SP_EXECUTESQL #SQLQUERY
END
and this is the sql query from the table
update inventory_master_flex set departmentid=#value where codenumber=#sku
I've tried replacing with the real parameters but that doen't work.
SELECT REPLACE(REPLACE(#SQLQUERY,'#VALUE',#VALUE),'#SKU',#SKU)
-- 50 is too short for sure; you may try 1000 or different number
DECLARE #SQLQUERY AS NVARCHAR(MAX)
-- for debug purpose
PRINT #SQLQUERY
-- params
EXEC SP_EXECUTESQL #SQLQUERY, N'#Value NVARCHAR(50), #sku NVARCHAR(50)`, #Value, #sku
REPLACE is not good in case of strings with quotes and so on which would brake the #sqlquery code.
Pass the parameters in using sp_executesql, not replace():
IF EXISTS(SELECT CODENUMBER FROM INVENTORY_MASTER WHERE CODENUMBER=#SKU)
BEGIN
DECLARE #SQLQUERY AS NVARCHAR(MAX);
SET #SQLQUERY = (SELECT SQLUPDATE FROM MASS_UPDATE WHERE DROPDOWNLABEL = #FIELD);
EXEC SP_EXECUTESQL #SQLQUERY, N'#SKU VARCHAR(255), #VALUE VARCHAR(255)', #SKU = #SKU, #VALUE = #VALUE
END;
I don't know what the types are. But if one or both are strings or dates, then you would need single quotes in your implementation. However, you are already using sp_executesql so go whole-hog and pass in parameters as well.
I have this proble.
I should to call a Function at a LinkedServer database. So this database not show me a Function.
For this I use this code:
BEGIN
DECLARE #TSQL varchar(8000)
DECLARE #Data as DATE
SET #Data = GETDATE()
SET #TSQL = 'SELECT PIPPO FROM OPENQUERY([SQLIMELTC\IMELTCPROD],''SELECT [FlexNet].[dbo].[AF_GetUTCToLocal] (''''' +CAST(#Data AS NVARCHAR(100))+ ''''') AS PIPPO'' )'
EXEC #TSQL
END
I have this error:
Msg 203, Level 16, State 2, Line 10
The name 'SELECT PIPPO FROM OPENQUERY([SQLIMELTC\IMELTCPROD],'SELECT [FlexNet].[dbo].[AF_GetUTCToLocal] (''2015-01-08'') AS PIPPO' )' is not a valid identifier.
But, if I try to use this code before the instruction
EXEC #TSQL
and use it:
SELECT #TSQL
And after the execute I select in output box the result and execute it, it works.
What is my problem?
Look at the EXECUTE (Transact-SQL) syntax. When you use the variable you should use it in brackets.
Try this:
EXEC (#TSQL)
You need to put parenthesis around #TSQL, e.g.
EXEC (#TSQL);
EXEC without parenthesis is for executing stored procedures. e.g.
DECLARE #TSQL VARCHAR(8000) = 'sp_lock';
EXEC #TSQL;
Will execute the stored procedure sp_lock
Better still use sp_executesql, thus avoiding ambiguity:
EXECUTE sp_executesql #TSQL;
I have a table dbo.usp_table with the following records:
EXEC USP_one
EXEC USP_two
EXEC USP_three
I want to execute these 3 or more stored procedures.
I could do this with a cursor.
However is there an easier way to solve this?
You can try this:
DECLARE #SQL NVARCHAR(MAX) = '';
SELECT #SQL = #SQL + YourColumn + '; '
FROM YourTable;
EXECUTE sp_executesql #SQL;
Where the column YourColumn contains the SQL command.
Declare a variable and store all the values(exec procedurename) inside the table into that variable appended with space at the end and execute the variable. Try this
declare #exec_proc nvarchar(max)=''
select #exec_proc += proc_name+' ' from dbo.usp_table
-- print #exec_proc
exec sp_executesql #exec_proc
Note : This will not work if your procedure accepts parameters
I'm a beginner to SQL Server
I wrote this query:
DECLARE #sql nvarchar(1000) = 'UPDATE Work
SET [Name] = Programmer, [ImageAddress] = pic.jpg
WHERE Id = 2'
SELECT #sql
EXEC Sp_executesql #sql
but I get this error
Invalid column name 'Programmer'.
Why do I get this error?
Thank you for your help
You are dealing with SQL in strings. Quoting the strings becomes a challenge. You need for Programmer to be in single quotes when the query is executed. To get this, you need double single quotes in the string:
DECLARE #sql nvarchar(1000)='
UPDATE Work
SET [Name] = ''Programmer'', [ImageAddress] = ''pic.jpg'' WHERE Id=2'
select #sql
EXEC Sp_executesql #sql;
Because you are wise enough to use sp_executesql, you should learn about parameters. You can write the query as:
DECLARE #sql nvarchar(1000)='
UPDATE Work
SET [Name] = #Programmer, [ImageAddress] = #imageaddress WHERE Id=2'
select #sql
EXEC Sp_executesql #sql, N'#programmer nvarchar(255), #imageaddress nvarchar(255)',
#programmer = N'Programmer', #imageaddress = N'pic.jpg';
This has several advantages besides the quoting. It is safer in terms of SQL injection and it allows SQL Server to cache the execution plans if the query is called more than once.
try this:
You need to use '' (Double Quotes for string) Inside Dynamic SQL
DECLARE #sql nvarchar(1000)='
UPDATE Work
SET [Name] = ''Programmer'',[ImageAddress] =''pic.jpg'' WHERE Id=2'
select #sql
EXEC Sp_executesql #sql