您的位置:首页 > 其它

使字符串参数安全地用在动态查询中

2007-05-22 21:51 260 查看

set ANSI_NULLS ON


set QUOTED_IDENTIFIER ON


go








ALTER FUNCTION [dbo].[fnSafeDynamicString]


-- make string parameters safe for use in dynamic strings


(@chvInput varchar(8000),


@bitLikeSafe bit = 0) -- set to 1 if string will be used in LIKE


RETURNS varchar(8000)


AS


BEGIN


declare @chvOutput varchar(8000)


-- replace single quote


set @chvOutput = Replace(@chvInput, char(39), char(39) + char(39))


if @bitLikeSafe = 1


begin


-- convert square bracket


set @chvOutput = Replace(@chvOutput, '[', '[[]')


-- convert wild cards


set @chvOutput = Replace(@chvOutput, '%', '[%]')


set @chvOutput = Replace(@chvOutput, '_', '[_]')




end


RETURN (@chvOutput)


END
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航