MySQL(存储)过程 - 参数和查询

时间:2021-11-06 01:32:50

I am trying to create a simple procedure with parameters.

我试图用参数创建一个简单的过程。

CALL new_procedure('mode', 'ASC');

The first input is the column the second is the sort direction

第一个输入是列,第二个输入是排序方向

DELIMITER $$

CREATE DEFINER=`root`@`localhost` PROCEDURE `new_procedure`(IN in_order_by_column varchar(20), in_order_by_direction char(4))
BEGIN

    DECLARE order_by varchar(30);
    SET @order_by = CONCAT('`', in_order_by_column, '` ', in_order_by_direction);
/*
    SELECT * FROM `common_tags` ORDER BY @order_by  LIMIT 5;
*/
    SELECT @order_by as 'c';

END

In the above example I have it only outputting the 2 parameters so I can see what's happening.

在上面的例子中我只输出了2个参数,这样我就可以看到发生了什么。

Result:

"c"
`mode` ASC

.

When I run the procedure with it's intended code, below.

当我使用它的预期代码运行该程序时,如下所示。

DELIMITER $$

CREATE DEFINER=`root`@`localhost` PROCEDURE `new_procedure`(IN in_order_by_column varchar(20), in_order_by_direction char(4))
BEGIN

    DECLARE order_by varchar(30);
    SET @order_by = CONCAT('`', in_order_by_column, '` ', in_order_by_direction);
    SELECT * FROM `common_tags` ORDER BY @order_by  LIMIT 5;

END

Results

tags_id     data                mode        parent_id       position
1           Wood                2           13              6
2           Trippy              0           0               0
4           Artists             1           0               1
6           "Newest Additions"  1           0               11
12          "Natural Elements"  2           5               8

As you can see the results are not sorted by mode.

如您所见,结果未按模式排序。

Any help is appreciated.

任何帮助表示赞赏。

1 个解决方案

#1


10  

Unfortunately, you need to PREPARE entire query in this case:

不幸的是,在这种情况下你需要PREPARE整个查询:

DELIMITER $$

DROP PROCEDURE IF EXISTS `new_procedure`$$

CREATE PROCEDURE `new_procedure`(IN in_order_by_column varchar(20), in_order_by_direction char(4))
BEGIN
    SET @buffer = CONCAT_WS('',
        'SELECT * FROM `common_tags` ORDER BY `', in_order_by_column, '` ', in_order_by_direction, ' LIMIT 5'
    );

    PREPARE stmt FROM @buffer;
    EXECUTE stmt;

    DEALLOCATE PREPARE stmt;
END$$

DELIMITER ;

NOTE: Described approach should be used very careful, because it is vulnurable to SQL Injection attacks, if used incorrectly.

注意:应该非常小心地使用所描述的方法,因为如果使用不正确,它对SQL注入攻击很难理解。

#1


10  

Unfortunately, you need to PREPARE entire query in this case:

不幸的是,在这种情况下你需要PREPARE整个查询:

DELIMITER $$

DROP PROCEDURE IF EXISTS `new_procedure`$$

CREATE PROCEDURE `new_procedure`(IN in_order_by_column varchar(20), in_order_by_direction char(4))
BEGIN
    SET @buffer = CONCAT_WS('',
        'SELECT * FROM `common_tags` ORDER BY `', in_order_by_column, '` ', in_order_by_direction, ' LIMIT 5'
    );

    PREPARE stmt FROM @buffer;
    EXECUTE stmt;

    DEALLOCATE PREPARE stmt;
END$$

DELIMITER ;

NOTE: Described approach should be used very careful, because it is vulnurable to SQL Injection attacks, if used incorrectly.

注意:应该非常小心地使用所描述的方法,因为如果使用不正确,它对SQL注入攻击很难理解。