sp-executesql

问题 As the title states, I don't understand why the sp_executeSQL would generate a completely different execution plan than running the query from Sql Management Studio. My query in question will take 3 seconds when run from SQL management Studio, where as the query run in management studio via sp_executeSQL will take 5 minutes. I've updated statistics, and reviewed indexes, but the fact remained in my head that the execution plan from sp_executeSQL was FAR worse than running the sql directly

问题 I am trying to use sp_executesql to prevent SQL injection in SQL 2005, I have a simple query like this: SELECT * from table WHERE RegionCode in ('X101', 'B202') However, when I use sp_executesql to execute the following, it doesn't return anything. Set @Cmd = N'SELECT * FROM table WHERE RegionCode in (@P1)' SET @ParamDefinition = N'@P1 varchar(100)'; DECLARE @Code as nvarchar(100); SET @Code = 'X101,B202' EXECUTE sp_executesql @Cmd, @ParamDefinition, @P1 = @Code The is what I have tested: SET

问题 I have multiple EXECUTE IMMEDIATE commands within one oracle procedure. EXECUTE IMMEDIATE 'DELETE FROM tbl1'; EXECUTE IMMEDIATE 'INSERT INTO tbl1...'; COMMIT; EXECUTE IMMEDIATE 'DELETE FROM tbl3'; EXECUTE IMMEDIATE 'INSERT INTO tbl3 ...'; COMMIT; EXECUTE IMMEDIATE 'DELETE FROM tbl4'; EXECUTE IMMEDIATE 'INSERT INTO tbl4 ...'; COMMIT; Do I need all of these COMMIT, or just at the end of the procedure? 回答1: The only times that you're really forced to commit, other thasn at the end of a business

问题 I have multiple EXECUTE IMMEDIATE commands within one oracle procedure. EXECUTE IMMEDIATE 'DELETE FROM tbl1'; EXECUTE IMMEDIATE 'INSERT INTO tbl1...'; COMMIT; EXECUTE IMMEDIATE 'DELETE FROM tbl3'; EXECUTE IMMEDIATE 'INSERT INTO tbl3 ...'; COMMIT; EXECUTE IMMEDIATE 'DELETE FROM tbl4'; EXECUTE IMMEDIATE 'INSERT INTO tbl4 ...'; COMMIT; Do I need all of these COMMIT, or just at the end of the procedure? 回答1: The only times that you're really forced to commit, other thasn at the end of a business

问题 In the below sample code, Table Name is an input parameter. In this case, how can I avoid SQL injection using sp_executesql . Below is the sample code, I am trying to use sp_executesql to avoid it but it doesn't work. Can anyone tell me how to correct it? ALTER PROC Test @param1 NVARCHAR(50), @param2 INT, @tblname NVARCHAR(100) AS BEGIN DECLARE @sql NVARCHAR(1000) SET @sql= N' select * from ' + @tblname + ' where name= @param1 and id= @param2'; PRINT @sql EXEC Sp_executesql @sql, N'@param1

问题 DECLARE @id int DECLARE @name nvarchar(20) SET @id = 5 SET @name = 'Paul' What is the difference between these two options: Set @SQLQueryInnen = 'SELECT * FROM someTable WHERE ID = ' + @id + ' AND NAME = ''' + @name + '''' Execute sp_Executesql @SQLQueryInnen and Set @SQLQueryInnen = 'SELECT * FROM someTable WHERE ID = @id AND NAME = @name' Set @ParmDefinition = '@id int, @name nvarchar(20)' Execute sp_Executesql @SQLQueryInnen, @ParmDefinition, @id So far I only see the overhad for declaring

问题 is there any way that you can call sp_executesql with parameters that don't depend in the order they are defined in the store? the same query with exec works well, and if you have the same order it also works well, but it's a pain having to match the parameter one by one, because sometime I am generatin the call dynamically with helpers, and if the dto object don't have the same fields in the same order, doesn't work well. create procedure ordertest @PARAM1 INT, @PARAM2 INT AS BEGIN SELECT

问题 In MS Excel, if you create a QueryTable with Microsoft Query, and your SQL query cannot be visually presented by Microsoft Query, then you are not allowed to provide parameters for that query. Which is a shame, so there is this awesome technique that allows parameters anyway: {CALL sp_executesql (N'select top (@a) * from mytable', N'@a int', ?)} You provide the query in the ODBC CALL form and it works with parameters. Unless it does not. While on some computers it works flawlessly, on other

问题 SET @whereCond = @whereCond + ' AND name LIKE ''%'' + @name + ''%''' Is there something wrong here? After I generate where condition, I execute it with sp_executesql , but I did get anything. When I SELECT the same thing without sp, it's ok. How to use LIKE in sp_executesql? Can you bring some examples, please? Thank you. UPDATE declare @name nvarchar(50) set @name = 'a' SELECT * FROM Tbl_Persons WHERE 1 = 1 AND lastname LIKE '%a%' exec sp_executesql N'SELECT * FROM Tbl_Persons WHERE 1 = 1

问题 When dealing with debugging queries using Profiler and SSMS, its pretty common for me to copy a query from Profiler and test them in SSMS. Because I use parameterized sql, my queries are all sent as exec sp_executesql queries. exec sp_executesql N'/*some query here*/', N'@someParameter tinyint', @ someParameter =2 I'll take this and convert it into a normal query for ease of editing (intellisense, error checking, line numbers, etc): DECLARE @someParameter tinyint SET @someParameter = 2 /*some