动态SQL查询搜索

Question

我想建立一个SQL查询与给定的参数，但我得到一个奇怪的错误，不能理解为什么。这是我的SP，并导致

ALTER PROCEDURE [dbo].[sp_Photographers_Select_Search] 
    @Date varchar(100), 
    @PriceMin int, 
    @PriceMax int, 
    @CityID int 

AS 
BEGIN 
    SET DATEFORMAT DMY 
    DECLARE @SQL as varchar(2000) 
    SET @SQL = 'SELECT *, 
    (SELECT TOP (1) Price FROM Packages WHERE PhotographerID = Photographers.PhotographerID ORDER BY Price) as PriceMin, 
    (SELECT TOP (1) Price FROM Packages WHERE PhotographerID = Photographers.PhotographerID ORDER BY Price DESC) as PriceMax, 
    (SELECT COUNT(GalleryID) FROM Galleries WHERE PhotographerID = Photographers.PhotographerID AND Status = 1) as GalleryCount, 
    (SELECT COUNT(CommentID) FROM Comments WHERE ContentID = Photographers.PhotographerID AND Status = 1 AND TypeID = 1) as CommentCount 
    FROM Photographers WHERE 1 = 1 ' 

    IF @PriceMin <> 0 OR @PriceMax <> 0 BEGIN 
     SET @SQL = @SQL + ' AND PhotographerID IN(SELECT PhotographerID FROM Packages WHERE Price BETWEEN '+@PriceMin+' AND '+@PriceMax+') ' 
    END 

    IF @CityID > 0 
     SET @SQL += ' AND CityID = '+@CityID+'' 

    SET @SQL = @SQL + ' AND PhotographerID NOT IN (SELECT PhotographerID FROM Appointments WHERE Date = '''+@Date+''')'  

    EXEC (@SQL) 
END 

EXEC @return_value = [dbo].[sp_Photographers_Select_Search] 
     @Date = N'23.05.2013', 
     @PriceMin = 0, 
     @PriceMax = 0, 
     @CityID = 34 

和错误是

Msg 245, Level 16, State 1, Procedure sp_Photographers_Select_Search, Line 23 
Conversion failed when converting the varchar value 'SELECT *, 
    (SELECT TOP (1) Price FROM Packages WHERE PhotographerID = Photographers.PhotographerID ORDER BY Price) as PriceMin, 
    (SELECT TOP (1) Price FROM Packages WHERE PhotographerID = Photographers.PhotographerID ORDER BY Price DESC) as PriceMax, 
    (SELECT COUNT(GalleryID) FROM Galleries WHERE PhotographerID = Photographers.PhotographerID AND Status = 1) as GalleryCount, 
    (SELECT COUNT(CommentID) FROM Comments WHERE ContentID = Photographers.PhotographerID AND Status = 1 AND TypeID = 1) as CommentCount 
    FROM Photographers WHERE 1 = 1 ' to data type int. 

你能描述的错误？谢谢！

Answer 1

Cast数字值，即在sql语句中连接之前的@PriceMin，@PriceMax和@CityID。

修改SQL语句是按如下：

IF @PriceMin <> 0 OR @PriceMax <> 0 
BEGIN 
    SET @SQL = @SQL + ' AND PhotographerID IN(SELECT PhotographerID FROM Packages WHERE Price BETWEEN '+ cast(@PriceMin as varchar(10)) 
    +' AND '+ cast(@PriceMax as varchar(10)) +') ' 
END 

IF @CityID > 0 
    SET @SQL += ' AND CityID = '+ cast(@CityID as varchar(10)) 

Answer 2

Romil的回答解决了你问的问题，但你应该问的是如何改变这种查询并非是动态的。我不知道你的数据库结构，所以这个查询将需要验证，但我做的WHERE子句更新将允许您的查询运行而不是动态的。这将显着提高性能，减少注入风险，并且围绕这些类型的查询提供更好的方法。

ALTER PROCEDURE [dbo].[sp_Photographers_Select_Search] 
    @Date  AS VARCHAR(100), 
    @PriceMin AS INT, 
    @PriceMax AS INT, 
    @CityID  AS INT 

AS 
BEGIN 
    SET DATEFORMAT DMY 
    SELECT *, 
      (SELECT TOP (1) Price FROM Packages WHERE PhotographerID = Photographers.PhotographerID ORDER BY Price) AS PriceMin, 
      (SELECT TOP (1) Price FROM Packages WHERE PhotographerID = Photographers.PhotographerID ORDER BY Price DESC) AS PriceMax, 
      (SELECT COUNT(GalleryID) FROM Galleries WHERE PhotographerID = Photographers.PhotographerID AND Status = 1) AS GalleryCount, 
      (SELECT COUNT(CommentID) FROM Comments WHERE ContentID = Photographers.PhotographerID AND Status = 1 AND TypeID = 1) AS CommentCount 
    FROM Photographers 
    WHERE 1 = 1 
     AND PhotographerID NOT IN (SELECT PhotographerID FROM Appointments WHERE Date = @Date) 
     AND 
     (
      (
       @PriceMin = 0 
       AND @PriceMax = 0 
      ) 
      OR PhotographerID IN (SELECT PhotographerID FROM Packages WHERE Price BETWEEN @PriceMin AND @PriceMax) 
     ) 
     AND 
     (
      @CityID = 0 
      OR CityID = @CityID 
     ) 
END 

我会做进一步改进搬完子查询到JOIN声明与GROUP BY联合声明，以提高性能，但这需要进一步DB知识。