当前位置: 首页 > 图文教程 > 数据库 > MSSQL > 动态SQL四种类型的语句格式

MSSQL
SQL注入漏洞全接触--进阶篇(二)
SQL注入漏洞全接触--高级篇(一)
SQL注入漏洞全接触--高级篇(二)
SQL Server补丁安装常见问题
[专题]SQL SERVER实用经验技巧集
防范SQL注入式攻击
Mssql和Mysql的安全性分析
SQL概述及在网络安全中的应用
安全入门:SQL注入漏洞全接触
数据库系统防黑客入侵技术综述
SQL注入奇招致胜 UNION查询轻松免费看电影
看紧你的3306端口,一次通过mysql的入侵
MSSQL db_owner角色注入直接获得系统权限
针对SQL INJECTION的SQL SERVER安全设置初级篇
有孔就入 SQL Injection的深入探讨
SQL注入不完全思路与防注入程序
SQL注入攻击的原理及其防范措施
SQL Server应用程序中的高级SQL注入
数据库下载漏洞攻击技术
SQL注入实战---利用“dbo”获得SQL管理权限和系统权限

MSSQL 中的 动态SQL四种类型的语句格式


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-30   浏览: 79 ::
收藏到网摘: n/a

  1.Dynamic SQL Format 1

EXECUTE IMMEDIATE SQLStatement     {USING TransactionObject} ;

eg:
string            Mysql
Mysql = "CREATE TABLE Employee "&
    +"(emp_id integer not null,"&
    +"dept_id integer not null, "&
    +"emp_fname char(10) not null, "&
    +"emp_lname char(20) not null)"
EXECUTE IMMEDIATE :Mysql ;

2.Dynamic SQL Format 2

PREPARE DynamicStagingArea FROM SQLStatement     {USING TransactionObject} ;
EXECUTE DynamicStagingArea USING {ParameterList} ;

eg:
INT        Emp_id_var = 56
PREPARE SQLSA
    FROM "DELETE FROM employee WHERE emp_id=?" ;
EXECUTE SQLSA USING :Emp_id_var ;


3.Dynamic SQL Format 3

DECLARE Cursor | Procedure     DYNAMIC CURSOR | PROCEDURE      FOR DynamicStagingArea ;
PREPARE DynamicStagingArea FROM SQLStatement     {USING TransactionObject} ;
OPEN DYNAMIC Cursor     {USING ParameterList} ;
EXECUTE DYNAMIC Procedure    {USING ParameterList} ;
FETCH Cursor | Procedure     INTO HostVariableList ;
CLOSE Cursor | Procedure ;
eg:
integer Emp_id_var

DECLARE my_cursor DYNAMIC CURSOR FOR SQLSA ;
PREPARE SQLSA FROM "SELECT emp_id FROM employee" ;
OPEN DYNAMIC my_cursor ;
FETCH my_cursor INTO :Emp_id_var ;
CLOSE my_cursor ;


4.Dynamic SQL Format 4

DECLARE Cursor | Procedure     DYNAMIC CURSOR | PROCEDURE      FOR DynamicStagingArea ;
PREPARE DynamicStagingArea FROM SQLStatement    {USING TransactionObject} ;
DESCRIBE DynamicStagingArea    INTO DynamicDescriptionArea ;
OPEN DYNAMIC Cursor | Procedure    USING DESCRIPTOR DynamicDescriptionArea ;
EXECUTE DYNAMIC Cursor | Procedure    USING DESCRIPTOR DynamicDescriptionArea ;
FETCH Cursor | Procedure     USING DESCRIPTOR DynamicDescriptionArea ;
CLOSE Cursor | Procedure ;

eg:

string Stringvar, Sqlstatement
integer Intvar
Sqlstatement = "SELECT emp_id FROM employee"
PREPARE SQLSA FROM :Sqlstatement ;
DESCRIBE SQLSA INTO SQLDA ;
DECLARE my_cursor DYNAMIC CURSOR FOR SQLSA ;
OPEN DYNAMIC my_cursor USING DESCRIPTOR SQLDA ;
FETCH my_cursor USING DESCRIPTOR SQLDA ;

// If the FETCH is successful, the output
// descriptor array will contain returned
// values from the first row of the result set.
// SQLDA.NumOutputs contains the number of
// output descriptors.
// The SQLDA.OutParmType array will contain
// NumOutput entries and each entry will contain
// an value of the enumerated data type ParmType
// (such as TypeInteger!, or TypeString!).

CHOOSE CASE SQLDA.OutParmType[1]
CASE TypeString!
        Stringvar = GetDynamicString(SQLDA, 1)
    CASE TypeInteger!
        Intvar = GetDynamicNumber(SQLDA, 1)

END CHOOSE
CLOSE my_cursor ;