例如存儲過名為:myprocedure
- use AdventureWorks
- create procedure myprocedure @city varchar(20)
- as
- begin
- select * from Person.Address
- end
- exec myprocedure @city = 'Bothell'
- --或
- exec myprocedure 'Bothell'
二、使用EXEC執行動態的SQL語句
注意:動態的sql必須包含於圓括號內如:
- exec ('select * from mytable')
使用EXEC執行動態sql語句注意下面問題
1.不能有輸入參數,輸出參數
下面的腳本是錯誤的:
- DECLARE @i AS INT;
- SET @i = 10248;
- DECLARE @sql AS VARCHAR(52);
- SET @sql = 'SELECT * FROM dbo.Orders WHERE OrderID = @i;';
- EXEC(@sql);
- GO
2.園括號內部能使用函數或case表達式
下面的腳本是錯誤的:
- DECLARE @schemaname AS NVARCHAR(128), @tablename AS NVARCHAR(128);
- SET @schemaname = N'dbo';
- SET @tablename = N'Order Details';
- EXEC(N'SELECT COUNT(*) FROM '
- + QUOTENAME(@schemaname) + N'.' + QUOTENAME(@tablename) + N';');
- GO
不過把函數放在變量中是可以的:
- DECLARE
- @schemaname AS NVARCHAR(128),
- @tablename AS NVARCHAR(128),
- @sql AS NVARCHAR(539);
- SET @schemaname = N'dbo';
- SET @tablename = N'Order Details';
- SET @sql = N'SELECT COUNT(*) FROM '
- + QUOTENAME(@schemaname) + N'.' + QUOTENAME(@tablename) + N';'
- EXEC(@sql);
3.不能利用重用執行計划,存所以存在性能問題
- DECLARE @i AS INT;
- SET @i = 10248;
- DECLARE @sql AS VARCHAR(52);
- SET @sql = 'SELECT * FROM dbo.Orders WHERE OrderID = '
- + CAST(@i AS VARCHAR(10)) + N';';
- EXEC(@sql);
- GO
當@i = 10248, 10249, 10250要生成3個執行計划。
4。容易被sql注入,存在安全問題。
- DECLARE @lastname AS NVARCHAR(40), @sql AS NVARCHAR(200);
- SET @lastname = N''' DROP TABLE dbo.Employees --';
- SET @sql = N'SELECT * FROM dbo.Employees WHERE LastName = '''
- + @lastname + ''';';
- EXEC @sql;
- GO
實際執行的sql為:
- SELECT * FROM dbo.Employees WHERE LastName = '' DROP TABLE dbo.Employees --';