未在动态SQL中存储值

Posted 2021-04-12

我有不同的表来分类存储数据，还有一个记录所有事务日志的日志表例如1）优惠券编号，添加，...2）优惠券编号，删除，..在备份数据库并出于报告目的在另一台服务器中还原之后。那时，我想确保所有日志数据和事务在TestDB中都可用，如果没有，那么我从“ AUD_USER_ACTIVITY”中删除日志。

要查找该事务是否存在，我创建一个动态sql select语句并检查记录是否存在。基于@RecExist值的基础我会执行以下操作，例如，如果TestDB中没有记录，则将删除日志，如果记录存在，则立即中断此循环并转到下一个步骤

但是@RecExist变量在动态SQL执行中不会更新。请引导我

declare @MvDocNo varchar(50)
DECLARE @SCtr as  DECIMAL(10,0)
declare @LocationCode varchar(4)
declare @UName  Nvarchar(40)
declare @toe varchar(30)
declare @QryTxt as nvarchar(MAX);
Declare @RecExist as INT =0;

SET @RecExist=0
WHILE @RecExist=0
      BEGIN
       select top 1 @MvDocNo=DOCNO, @SCtr=SrlNo,@LocationCode =DMLTYPE,@UName=TABLENAME 
           FROM R_AUDDB..AUD_USER_ACTIVITY 
           WHERE DBNAME='TestDB' and DMLTYPE not in ('AD','D','PD') ORDER BY SRLNO DESC;
           select top 1 @toe=docno from TestDB..M_TYPEOFENTRY  where TBLNAME=@UName;

       set @QryTxt='Select @RecExist=1  From R_TestDB..'+@UName+ ' Where '+@toe+'='''+@MvDocNo+''''

       exec (@QryTxt)

           IF @RecExist=0 
          BEGIN 
           DELETE R_AUDDB..AUD_USER_ACTIVITY WHERE SRLNO=@SCtr
              END
      END

答案

以下代码示例演示了如何使用动态SQL检查表中具有特定列和值的行。您应该能够更改前三个变量的值，以引用数据库中的表和列进行测试。

请注意，仍然可以进行SQL注入：不对表名或列名进行验证。

-- Define the table to check and the target column name and value.
declare @TableName as SysName = 'Things';
declare @ColumnName as SysName = 'ThingName';
declare @TestValue as NVarChar(32) = 'Beth';

-- Create a SQL statement to check for a row in the target table with the specified column name and value.
declare @SQL as NVarChar(1024);
declare @Result as Bit;
-- Note that only object names are substituted into the statement at this point and   QuoteName()  is used to reduce problems.
set @SQL = N'select @iResult = case when exists ( select 42 from dbo.' + QuoteName( @TableName ) +
  N' where ' + QuoteName( @ColumnName ) + N' = @iTestValue ) then 1 else 0 end;'
select @SQL as SQL;

-- Execute the SQL statement.
-- Note that parameters are used for all values, i.e. the target value and return value.
execute sp_executesql @stmt = @SQL,
  @params = N'@iTestValue NVarChar(32), @iResult Bit output',
  @iTestValue = @TestValue, @iResult = @Result output

-- Display the result.
select @Result as Result;