文章來自:博客園-易爾購
一、使用EXEC執行存儲過程
例如存儲過名為:myprocedure
use AdventureWorks create procedure myprocedure @city varchar(20) as begin select * from Person.Address end
exec myprocedure @city = 'Bothell' --或 exec myprocedure 'Bothell'
二、使用EXEC執行動態的SQL語句
注意:動態的sql必須包含於圓括號內如:
exec ('select * from mytable')
使用EXEC執行動態sql語句注意下面問題
1.不能有輸入參數,輸出參數
下面的腳本是錯誤的:
DECLARE @i AS INT; SET @i = 10248; DECLARE @sql AS VARCHAR(52); SET @sql = 'SELECT * FROM dbo.Orders WHERE OrderID = @i;'; EXEC(@sql); GO
2.園括號內部能使用函數或case表達式
下面的腳本是錯誤的:
DECLARE @schemaname AS NVARCHAR(128), @tablename AS NVARCHAR(128); SET @schemaname = N'dbo'; SET @tablename = N'Order Details'; EXEC(N'SELECT COUNT(*) FROM ' + QUOTENAME(@schemaname) + N'.' + QUOTENAME(@tablename) + N';'); GO
不過把函數放在變量中是可以的:
DECLARE @schemaname AS NVARCHAR(128), @tablename AS NVARCHAR(128), @sql AS NVARCHAR(539); SET @schemaname = N'dbo'; SET @tablename = N'Order Details'; SET @sql = N'SELECT COUNT(*) FROM ' + QUOTENAME(@schemaname) + N'.' + QUOTENAME(@tablename) + N';' EXEC(@sql);
3.不能利用重用執行計划,存所以存在性能問題
DECLARE @i AS INT; SET @i = 10248; DECLARE @sql AS VARCHAR(52); SET @sql = 'SELECT * FROM dbo.Orders WHERE OrderID = ' + CAST(@i AS VARCHAR(10)) + N';'; EXEC(@sql); GO
當@i = 10248, 10249, 10250要生成3個執行計划。
4。容易被sql注入,存在安全問題。
DECLARE @lastname AS NVARCHAR(40), @sql AS NVARCHAR(200); SET @lastname = N''' DROP TABLE dbo.Employees --'; SET @sql = N'SELECT * FROM dbo.Employees WHERE LastName = ''' + @lastname + ''';'; EXEC @sql; GO
實際執行的sql為:
SELECT * FROM dbo.Employees WHERE LastName = '' DROP TABLE dbo.Employees --';