CODEWITHSUNDEEP
c#asp.netsql-server-2008stored-procedures
Mitesh Jain
Mitesh Jain

Reputation: 565

Making query in stored procedure in SQL Server but some error occurs

My stored procedure looks like this:

Alter PROCEDURE [dbo].[productfilter_whatsnew]
   @query1 nvarchar(max),
   @query2 nvarchar(max),
   @date date,
   @pid varchar(5)
AS
   select * 
   FROM Productcolorimage pci  
   where entry_date > @date 
     and selectproduct = @pid + ' ' + @query1 
   order by @'@query2'
GO

My function passing value

public DataTable productfilter_whatsnew(ProductBAL objbal)
{
    DataTable dt = new DataTable();

    using (SqlConnection conn = new SqlConnection(strconn))
    {
        conn.Open();
        SqlCommand cmd = new SqlCommand("productfilter_whatsnew", conn);
        cmd.CommandType = CommandType.StoredProcedure;
        SqlParameter[] para = {
                               new SqlParameter("@query1","and colorid in('3')"),
                                new SqlParameter("@query2","pid ASC"),
                                new SqlParameter("@date","14-09-2013"),
                                new SqlParameter("@pid","1")
                              };
        try
        {
            cmd.Parameters.AddRange(para);
            SqlDataAdapter d = new SqlDataAdapter(cmd);
            d.Fill(dt);
            conn.Close();
        }
        catch (Exception ex)
        {
            throw ex;
        }
    }
    return dt;
}

But showing different errors for placing @query1 and @query2...

Upvotes: 2

Views: 218

Answers (2)

rene
rene

Reputation: 42494

If you really need to you can change your procedure to call sp_executesql. Are you sure you can't use Entity Framework or NHibernate or any other ORM library ?

Alter PROCEDURE [dbo].[productfilter_whatsnew]
@query1 nvarchar(max),
@query2 nvarchar(max),
@date date,
@pid varchar(5)
AS
BEGIN
    declare @sql nvarchar(1000)
    declare @ParmDefinition nvarchr(1000)
    SET @ParmDefinition = N'@date date, @pid varchar(5)';

    set @sql = N'select * FROM Productcolorimage pci  where entry_date>@date and selectproduct=@pid ' + @query1 + ' order by ' + @query2

    EXECUTE sp_executesql @sql, @ParmDefinition, @date=@date, @pid=@pid;
END
GO

Upvotes: 1

roman
roman

Reputation: 117540

If you really sure you want to do this, use dynamic SQL. But be sure to read about SQL Injection first.

alter procedure [dbo].[productfilter_whatsnew]
(
    @query1 nvarchar(max),
    @query2 nvarchar(max),
    @date date,
    @pid varchar(5)
)
as
begin
    declare @stmt nvarchar(max)

    select @stmt= '
        select * 
        from Productcolorimage as pci
        where entry_date > @date and selectproduct = @pid'

    select @stmt = @stmt + ' ' + @query1
    select @stmt = @stmt + ' order by ' + @query2

    -- passing parameters into sp by names, easier to maintain in the future
    exec sp_executesql
        @stmt = @stmt,
        @params = N'@date date, @pid varchar(5)',
        @date = @date,
        @pid = @pid;
end

Upvotes: 2

Related Questions