error in stored procedure

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2008 » T-SQL (SS2K8) » error in stored procedure

error in stored procedure

Rate Topic

Display Mode

Topic Options

Author

Message

ssurekha2000

Posted Wednesday, December 05, 2012 7:31 PM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, December 05, 2012 10:13 PM
Points: 46, Visits: 120

ALTER PROCEDURE [dbo].[usp_delete] @tablename sysname, @pid int
,@pidname varchar(10)

AS
DECLARE @SQL varchar(500)

SET @SQL = 'delete from ' + @tablename + ' where '+ @pidname + ' = '+ @pid

Conversion failed when converting the nvarchar value 'delete from m_customer where cid = ' to data type int.

i get the above error

if i convert pid int to varchar i dont get error but the recod is not deleted

whts the best way toprevent sql injection and have database secured

Post #1393292

WolfgangE

Posted Thursday, December 06, 2012 12:02 AM

Valued Member

Group: General Forum Members
Last Login: Tuesday, May 14, 2013 2:56 AM
Points: 74, Visits: 419

To make your statement work you have to convert @pid in the string concatenation.

SET @SQL = 'delete from ' + @tablename + ' where '+ @pidname + ' = '+ cast( @pid as varchar(50) )

To avoid sql injection you should not use dynamic statements like this at all. Write a separate delete procedure for every table where you want to delete data from.

Post #1393340

kapil_kk

Posted Thursday, December 06, 2012 3:39 AM

Ten Centuries

Group: General Forum Members
Last Login: Sunday, May 19, 2013 11:16 PM
Points: 1,061, Visits: 1,151

first ensure that the value you are getting in @pid is int or varchar. If column data type is varchar then use CAST for it.
Hope, It will works for you Tongue

Post #1393413

Sean Pearce

Posted Tuesday, December 11, 2012 1:15 AM

Old Hand

Group: General Forum Members
Last Login: Today @ 5:26 AM
Points: 350, Visits: 1,333

ALTER PROCEDURE [dbo].[usp_delete]
	@tablename sysname,
	@pid int,
	@pidname varchar(10)
AS

DECLARE @SQL NVARCHAR(MAX),
		@Params NVARCHAR(MAX);

SELECT	@SQL = 'DELETE FROM [' + @tablename + '] WHERE ' + @pidname + ' = @pid;',
		@Params = '@pid INT';

EXEC sp_executesql @SQL, @Params, @pid = @pid;

http://thesqlguy.blogspot.com/

Post #1394927

Eugene Elutin

Posted Tuesday, December 11, 2012 3:32 AM

SSCrazy

Group: General Forum Members
Last Login: Today @ 4:53 AM
Points: 2,541, Visits: 4,377

Sean Pearce (12/11/2012)

ALTER PROCEDURE [dbo].[usp_delete]
	@tablename sysname,
	@pid int,
	@pidname varchar(10)
AS

DECLARE @SQL NVARCHAR(MAX),
		@Params NVARCHAR(MAX);

SELECT	@SQL = 'DELETE FROM [' + @tablename + '] WHERE ' + @pidname + ' = @pid;',
		@Params = '@pid INT';

EXEC sp_executesql @SQL, @Params, @pid = @pid;

Don't forget to test your sp by executing:

EXEC dbo].[usp_delete]
	@tablename = 'sometable',
	@pid int = 1,
	@pidname = '1 = 1 OR 1 '

It's a good idea to always protect your dynamic sql from injection

_____________________________________________
"The only true wisdom is in knowing you know nothing"
"O skol'ko nam otkrytiy chudnyh prevnosit microsofta duh!" BigGrin

(So many miracle inventions provided by MS to us...)

How to post your question to get the best and quick help

Post #1394998

GilaMonster

Posted Tuesday, December 11, 2012 3:36 AM

SSC-Dedicated

Group: General Forum Members
Last Login: Today @ 5:54 AM
Points: 37,726, Visits: 29,985

I strongly recommend you do not go this approach of generic delete procedures.

Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1395002

Sean Pearce

Posted Tuesday, December 11, 2012 7:15 AM

Old Hand

Group: General Forum Members
Last Login: Today @ 5:26 AM
Points: 350, Visits: 1,333

Eugene Elutin (12/11/2012)

Sean Pearce (12/11/2012)

ALTER PROCEDURE [dbo].[usp_delete]
	@tablename sysname,
	@pid int,
	@pidname varchar(10)
AS

DECLARE @SQL NVARCHAR(MAX),
		@Params NVARCHAR(MAX);

SELECT	@SQL = 'DELETE FROM [' + @tablename + '] WHERE ' + @pidname + ' = @pid;',
		@Params = '@pid INT';

EXEC sp_executesql @SQL, @Params, @pid = @pid;

Don't forget to test your sp by executing:

EXEC dbo].[usp_delete]
	@tablename = 'sometable',
	@pid int = 1,
	@pidname = '1 = 1 OR 1 '

It's a good idea to always protect your dynamic sql from injection

You can offer some protection by wrapping the execution statement.

ALTER PROCEDURE [dbo].[usp_delete]
	@tablename sysname,
	@pid int,
	@pidname varchar(10)
AS

DECLARE @SQL NVARCHAR(MAX),
		@Params NVARCHAR(MAX);

SELECT	@SQL = 'DELETE FROM [' + @tablename + '] WHERE ' + @pidname + ' = @pid;',
		@Params = '@pid INT';

IF EXISTS(SELECT * FROM sys.columns WHERE name = @pidname AND OBJECT_NAME(object_id) = @tablename)
BEGIN
    EXEC sp_executesql @SQL, @Params, @pid = @pid;
END;

http://thesqlguy.blogspot.com/

Post #1395111

« Prev Topic | Next Topic »

Permissions