我使用的是mysql,我有一个存储过程,它有一个输入变量。mysql查询帮助(如语句)
我想在select语句中使用这个变量(使用like子句)。
如:
DELIMITER $$
DROP PROCEDURE IF EXISTS `DeleteDataByTransactionID` $$
CREATE DEFINER=`root`@`%` PROCEDURE `DeleteDataByTransactionID`(in **$TransactionID** varchar(50))
BEGIN
delete from sqlstatements where tempsql like '%'+ **$TransactionID** + '%';
END $$
DELIMITER ;
感谢
DELIMITER $$
DROP PROCEDURE IF EXISTS `DeleteDataByTransactionID`
$$
CREATE DEFINER=`root`@`%` PROCEDURE `DeleteDataByTransactionID`(TransactionID VARCHAR(50))
BEGIN
DELETE
FROM sqlstatements
WHERE tempsql LIKE CONCAT('%', TransactionID, '%');
END
$$
DELIMITER ;
事实上,公认的答案的版本是开放的SQL注入,如果调用方不正确的参数调用存储过程。我建议在存储过程中使用准备好的声明如下,以保证安全,而不是依赖呼叫者:
DELIMITER $$
CREATE PROCEDURE `DeleteDataByTransactionID`
(
TransactionID VARCHAR(50)
)
BEGIN
SET @sql =
"DELETE
FROM sqlstatements
WHERE
tempsql LIKE CONCAT('%', ?, '%')";
SET @transid = TransactionID;
PREPARE stmt FROM @sql;
EXECUTE stmt USING @transid;
DEALLOCATE PREPARE stmt;
END
$$