Reputation: 523
Stored Procedure not execute as expected
I have written following stored procedure
CREATE procedure [dbo].[findUSerID]
@Column_name varchar(50),
@TR_ID int
AS
DECLARE @sql nvarchar(max) = 'SELECT ' +@Column_name+ '
FROM Transfer_TB
WHERE TID =' + CAST(@TR_ID AS VARCHAR(10))
EXEC sp_executesql @sql
Table definition :
CREATE TABLE [dbo].[Transfer_TB]
(
[TID] [int] NULL,
[ABC] [varchar](20) NULL,
[XYZ] [varchar](50) NULL,
[LMN] [varchar](50) NULL,
[PQR] [varchar](50) NULL,
)
But it does not return the proper output.
Like I have called it from my asp page code for that using n tier architecture.
public string check_validID(string branch,int trId)
{
string user_Br_ID;
clsBranch_TB objbr = new clsBranch_TB();
clsUserTB objuser = new clsUserTB();
objuser.User_Branch = 'XYZ';
objuser.Extra_Int = 32;
DataSet ds = clsAdminLogic.findUSerID(objuser);
if (ds.Tables[0].Rows.Count == 0)
{
user_Br_ID = clsAdminLogic.getno_of_Emp(objbr);
}
else
{
user_Br_ID = ds.Tables[0].Rows[0][0].ToString();
}
return user_Br_ID;
}
public static DataSet findUSerID(clsUserTB objuser)
{
DataSet ds = DataAccessLayer.clsLogs.findUSerID(objuser);
return ds;
}
public static DataSet findUSerID(clsUserTB objuser)
{
SqlParameter[] param = {
new SqlParameter("@TR_ID",objuser.Extra_Int),
new SqlParameter("@Column_name",objuser.User_Branch)
};
DataSet ds = DataAccessLayer.SqlHelper.FillDataNewRJ(
DataAccessLayer.clsDataAccessLayer.con.ConnectionString.ToString(),
CommandType.StoredProcedure, "findUSerID", (param)
);
return ds;
}
As it executes it, there is value present in database, but still it enters into if part of that function.
Please help me and guide if something wrong in above code
Upvotes: 0
Views: 105
Answers (3)
Reputation: 523
i found solution for this problem, actually that particular record contains values instead of selective column that's why query returning the null value. So i just have added one condition my stored procedure to fix it .
ALTER procedure [dbo].[findUSerID]
@Column_name varchar(50),
@TR_ID int
AS
DECLARE @sql nvarchar(max) = 'SELECT ' +@Column_name+ '
FROM Transfer_TB where TID =' + CAST(@TR_ID AS VARCHAR(10))+'
and '+@Column_name+'<> null'
exec sp_executesql @sql
Upvotes: 0
Reputation: 19225
there is value present in database, but still it enters into else part of that function
I assume this is the part you're talking about (there are 3 functions in that code)
if (ds.Tables[0].Rows.Count == 0)
{
user_Br_ID = clsAdminLogic.getno_of_Emp(objbr);
}
else
{
user_Br_ID = ds.Tables[0].Rows[0][0].ToString();
}
Yes. Your if goes into the else if the rows are not 0. It's doing exactly what its being told. That basic logic error is the least of your worries though. You're storing branches as columns?
Upvotes: 0
Reputation: 69564
Your stored procedure is prone to Sql-Injection. do the following to protect yourself against it.
CREATE procedure [dbo].[findUSerID]
@Column_name SYSNAME
,@TR_ID INT
AS
BEGIN
SET NOCOUNT ON;
DECLARE @sql nvarchar(max);
SET @sql = N' SELECT ' + QUOTENAME(@Column_name)
+ N' FROM Transfer_TB '
+ N' WHERE TID = @TR_ID '
exec sp_executesql @sql
,N'@TR_ID int'
,@TR_ID
END
If your Stored procedure is returning a scalar value "UserID" as the name suggest you should be doing something like......
CREATE procedure [dbo].[findUSerID]
@Column_name SYSNAME
,@TR_ID INT
,@UserID INT OUTPUT
AS
BEGIN
SET NOCOUNT ON;
DECLARE @sql nvarchar(max);
SET @sql = N' SELECT @UserID = ' + QUOTENAME(@Column_name)
+ N' FROM Transfer_TB '
+ N' WHERE TID = @TR_ID '
exec sp_executesql @sql
,N'@TR_ID int , @UserID INT OUTPUT'
,@TR_ID
,@UserID OUTPUT
END
Upvotes: 2
Related Questions
- Stored Procedure not working properly
- SQL Stored Procedure not working as intended.
- Stored Procedure Not Executing ASP.NET C#
- ASP.NET Stored Procedure method not working
- Stored Procedure not working correctly
- Stored procedure is not working?
- Correct Procedure is not executed?
- SQL Stored procedure and asp.net not working
- Problem with a stored procedure
- SQL Stored Procedure Problem in ASP.NET