這個存儲過程使用sp_executesql執行帶有參數的sql。
從sql注入安全嗎?該存儲過程是否安全的從sql注入?
create procedure ExecutePeopleFilter
(@lastNameFilter varchar(20),
@companyNameFilter varchar(20),
@ageFilter int,
@dateFilter datetime)
as
begin
declare @sql varchar(4000)
declare @params varchar(1000)
declare @whereClause varchar(1000)
set @whereClause = ''
if ISNULL(@lastNameFilter,'') <> ''
begin
if (LEN(@whereClause) <> 0) set @whereClause += ' and '
if (LEN(@lastNameFilter) < 20) set @lastNameFilter += '%'
set @whereClause += 'LastName like @lastName '
end
if ISNULL(@companyNameFilter,'') <> ''
begin
if (LEN(@whereClause) <> 0) set @whereClause += ' and '
if (LEN(@companyNameFilter) < 20) set @companyNameFilter += '%'
set @whereClause += 'CompanyName like @companyName '
end
if @ageFilter is not null
begin
if (LEN(@whereClause) <> 0) set @whereClause += ' and '
set @whereClause += 'Age = @age '
end
if @dateFilter is not null
begin
if (LEN(@whereClause) <> 0) set @whereClause += ' and '
set @whereClause += 'StartDate = @startDate '
end
set @sql = 'select FirstName, LastName, CompanyName, Age, StartDate
from People'
if (LEN(@whereClause) <> 0) set @sql += ' where ' + @whereClause
set @params = '@lastName varchar(20),
@companyName varchar(20),
@age int,
@startDate datetime'
execute sp_executesql @sql, @params,
@lastName = @lastNameFilter,
@companyName = @companyNameFilter,
@age = @ageFilter,
@startDate = @dateFilter
end
標記爲答案,因爲它是第一個直接回答問題的人。儘管如此,別人的回答也提供了寶貴的意見。 – DyingCactus 2009-09-04 01:27:24