how we pass string value in Dynemic query in Store procedure...

Question

0.00/5 (No votes)

See more:

I want to generate dynemic query according to some condition,i made it on my C# page then query work well, now my condition is i want to make this same query in Store procedure,

but my problem is how are pass string value into this query,
this is my code..

SQL

ALTER PROCEDURE [dbo].[proc_JugmentSearchCount]

    @Favour  nvarchar(MAX)='Partly',
AS
BEGIN
      SET NOCOUNT ON;
      DECLARE @DynamicSQL nvarchar(max)

      SET @DynamicSQL = 'SELECT  count(jid)  FROM tblJudgements1  where scategoryname=''Judgements'''


         Set @DynamicSQL = @DynamicSQL + ' And (favour =' +@Favour+')'

      EXECUTE sp_executesql @DynamicSQL
END

the query not take the value of "@Favour" string, and if i write query like this then it work well..

SQL

SET @DynamicSQL = 'SELECT  count(jid)  FROM tblJudgements1  where scategoryname=''Judgements'''


        Set @DynamicSQL = @DynamicSQL + ' And (favour =''partly'')'

     EXECUTE sp_executesql @DynamicSQL

but in my case the value of @Favour is came at my C# page...

so what can i do... plz help.....

Posted 6-Jan-14 5:15am

Arun kumar Gauttam

Updated 6-Jan-14 6:27am

v3

Add a Solution

2 solutions

Solution 2

This is insane. Why would you use EXEC, which bypasses the protection you get from injection attacks, and pretend you're using stored procs ? Why not just do:

SELECT  count(jid)  FROM tblJudgements1  where scategoryname='Judgements' and (favour = @favour

Also, you'd do better to store categories and favours in tables, and then map to them via ids instead of strings.

Posted 6-Jan-14 11:13am

Christian Graus

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

dbrenth · Accepted Answer · 2014-01-06T07:42:00

Solution 1

All you needed to debug this was to add the line

SQL

SELECT @DynamicSQL

at the end of your code. It would have shown you that you are missing the quotes around "Partly".

Replace line 8 with

SQL

Set @DynamicSQL = @DynamicSQL + ' And (favour =''' +@Favour+''')'

Posted 6-Jan-14 7:42am

dbrenth

Comments

Arun kumar Gauttam 6-Jan-14 14:18pm

thanks sir...