Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 Error Message in strored procedure

Author  Topic 

vimaldreams
Starting Member

17 Posts
Posted - 2010-10-29 : 10:21:33
When i tried to save the following Stored procedure, it keep sayng the error

Incorrect syntax near '@STR'
Incorrect syntax near 'END'

As am a beginner in developing ASP.NET SQL server applications. Can you kelp me plz.


CREATE PROCEDURE [dbo].[MK_DB]

(
@mode NVARCHAR(50)='select',
@searchfield NVARCHAR(50)='',
@searchvalue NVARCHAR(50)=''

)

AS
BEGIN
DECLARE @STR NVARCHAR(2000)
IF @mode='select'
BEGIN
SET @STR = 'select * from MK_DB'

IF @searchfield <> '' AND @searchvalue <> ''
BEGIN
@STR = @STR + ' Where ' + @searchfield + ' like ' + '''' + @searchvalue + '%'+ ''''
END
PRINT @STR
EXEC @STR

END
END

Kristen
Test

22859 Posts
Posted - 2010-10-29 : 10:24:21
SELECT @STR = @STR + ' Where ' + @searchfield + ' like ' + '''' + @searchvalue + '%'+ ''''

(or you can use SET)
Go to Top of Page

Kristen
Test

22859 Posts
Posted - 2010-10-29 : 10:25:25
Beware that your code is open to SQL Injection - which will allow users to hack into your database.
Go to Top of Page

X002548
Not Just a Number

15586 Posts
Posted - 2010-10-29 : 10:36:20
quote:
Originally posted by Kristen

Beware that your code is open to SQL Injection - which will allow users to hack into your database.


What is SQL Injection and can his code be hijacked?

Brett

8-)

Hint: Want your questions answered fast? Follow the direction in this link
http://weblogs.sqlteam.com/brettk/archive/2005/05/25/5276.aspx


Want to help yourself?

http://msdn.microsoft.com/en-us/library/ms130214.aspx
Go to Top of Page

Kristen
Test

22859 Posts
Posted - 2010-10-29 : 10:48:08
"What is SQL Injection and can his code be hijacked?"

Errmmm ... is the office junior using your account Brett?

Or are you referring to the EXEC trying to Execute an Sproc name, rather than Dynamic SQL? Missed that one!

O/P you need to change this too:

EXEC (@STR)


SQL Injection:


EXEC dbo.MK_DB
	@mode ='select',
	@searchfield = 'SomeColumn',
	@searchvalue = '''; RAISERROR (N''Hacked!'', 1, 1); --'
Go to Top of Page

vimaldreams
Starting Member

17 Posts
Posted - 2010-10-29 : 12:07:03
Thanks for your help

quote:
Originally posted by Kristen

Beware that your code is open to SQL Injection - which will allow users to hack into your database.
Go to Top of Page

X002548
Not Just a Number

15586 Posts
Posted - 2010-10-29 : 12:20:03
I'm in costume for Halloween



Brett

8-)

Hint: Want your questions answered fast? Follow the direction in this link
http://weblogs.sqlteam.com/brettk/archive/2005/05/25/5276.aspx


Want to help yourself?

http://msdn.microsoft.com/en-us/library/ms130214.aspx
Go to Top of Page

Kristen
Test

22859 Posts
Posted - 2010-10-29 : 14:31:22
Bit early?
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site