Site Sponsored By: SQLDSC - SQL Server Desired State Configuration
Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
When i tried to save the following Stored procedure, it keep sayng the error Incorrect syntax near '@STR' Incorrect syntax near 'END'As am a beginner in developing ASP.NET SQL server applications. Can you kelp me plz.CREATE PROCEDURE [dbo].[MK_DB] ( @mode NVARCHAR(50)='select', @searchfield NVARCHAR(50)='', @searchvalue NVARCHAR(50)='' )ASBEGINDECLARE @STR NVARCHAR(2000)IF @mode='select'BEGIN SET @STR = 'select * from MK_DB' IF @searchfield <> '' AND @searchvalue <> '' BEGIN @STR = @STR + ' Where ' + @searchfield + ' like ' + '''' + @searchvalue + '%'+ '''' END PRINT @STR EXEC @STRENDEND
Kristen
Test
22859 Posts
Posted - 2010-10-29 : 10:24:21
SELECT @STR = @STR + ' Where ' + @searchfield + ' like ' + '''' + @searchvalue + '%'+ '''' (or you can use SET)
Kristen
Test
22859 Posts
Posted - 2010-10-29 : 10:25:25
Beware that your code is open to SQL Injection - which will allow users to hack into your database.
X002548
Not Just a Number
15586 Posts
Posted - 2010-10-29 : 10:36:20
quote:Originally posted by Kristen Beware that your code is open to SQL Injection - which will allow users to hack into your database.
"What is SQL Injection and can his code be hijacked?"Errmmm ... is the office junior using your account Brett? Or are you referring to the EXEC trying to Execute an Sproc name, rather than Dynamic SQL? Missed that one!O/P you need to change this too: