0

使用命令时替换功能工作

exec MyStoredProcedure param1, param2,

等等...,但是当通过 C# 代码运行它时,它没有正确替换文本,所以我最终收到一封电子邮件,上面仍然写着@@Comments,而不是实际的评论。我尝试在 SQL Server 2008 中检查它,但它工作正常并且电子邮件正常通过。有什么需要我检查的吗?

这是我的 C# 代码:

public static void SetRequestStatusChange(int reqID, int newStatus, string assignTo)
{
    SqlConnection con = new SqlConnection(connectionString);
    SqlCommand cmd = new SqlCommand("spUpdateRequest", con);
    cmd.CommandType = CommandType.StoredProcedure;

    // Status
    cmd.Parameters.Add(new SqlParameter("@RequestNo", SqlDbType.Int, 4));
    cmd.Parameters["@RequestNo"].Value = 276;

    // Queue
    cmd.Parameters.Add(new SqlParameter("@userID", SqlDbType.NVarChar, 12));
    cmd.Parameters["@userID"].Value = "1091912";

    // State
    cmd.Parameters.Add(new SqlParameter("@RequestStatus", SqlDbType.Int, 4));
    cmd.Parameters["@RequestStatus"].Value = 2;

    // Buyer Emp ID
    cmd.Parameters.Add(new SqlParameter("@assignedTo", SqlDbType.NVarChar, 12));
    cmd.Parameters["@assignedTo"].Value = "1091912";

    try
    {
        con.Open();
        cmd.ExecuteNonQuery();
    }
    catch (SqlException err)
    {
        throw new ApplicationException("Data Error." + err.ToString());
    }
    finally
    {
        //close the connection 
        con.Close();
    }
}

这是实际执行替换的存储过程的一部分。实际的存储过程很长,调用了很多其他的存储过程(我没写),读起来会非常麻烦。

select @html = replace(replace(replace(@html, '@@COMMENTS', case when @activityID <> 20 then  'The following comments were noted when the Request' else '' end +

   case @ActivityID when  2 then ' was submitted: ' +  case when requestorComments > '' then requestorComments  else 'None' end
   when 0 then '' 
   when  4 then ' was edited: ' + isnull(L.Comments,  'None') 
   when  15 then ' was edited: ' + isnull(LL.Comments,  'None') 
   when  20 then ''
   when  21 then  ' material was returned: ' + case when dbo.fnLastComment(lamSpecRecallComments) > '' then replace(dbo.fnLastComment(lamSpecRecallComments),':',':  ') else 'None' end
   when  -21 then  ' material was returned: ' + case when dbo.fnLastComment(lamSpecRecallComments) > '' then replace(dbo.fnLastComment(lamSpecRecallComments),':',':  ') else 'None' end
   when  8 then ' was approved: ' + case when ccMgrCOmments > '' then ccMgrCOmments  else 'None' end
   when  9 then ' was approved: ' + case when lamAprCOmments > '' then lamAprCOmments  else 'None' end
   when 13 then ' was stored: ' + case when dbo.fnLastComment(lamSpecCOmments) > '' then dbo.fnLastComment(lamSpecCOmments)  else 'None' end
   when -8 then ' was closed: ' + case when ccMgrCOmments > '' then ccMgrCOmments  else 'None' end
   when -9 then ' was closed: ' + case when lamAprCOmments > '' then lamAprCOmments  else 'None' end
   else '' end), 

   '@@PLEASE',
   case when @activityID =  8 or @activityID = 9 or @activityID = 20 or @activityID = 2  then 'Please click the link below to view the Request and ensure it is worked expeditiously.'
   else '' end),'@@RECALL',@list)  

   from (select * from strgRequests where requestNumber = @requestID) r
   left join (select * from  ActivityLog  where TransactionID = @transactionID) L on 1 = 1
   left join (select * from  ActivityLineItemLog where TransactionID = @transactionID) LL on 1 = 1

@@Comments、@@RECALL 和@@请来自一个表。这允许自定义电子邮件。

4

1 回答 1

0

“@@”通常用于全局/默认变量。“@”通常用于参数。

我必须查看更多代码才能确定。我的直觉告诉我,将你的 @@ 换成 @ 是你应该采取的下一个方向来解决这个问题。

此外,如果字段的值为“@@Comments”,您可能在某处有如下代码:

设置@cmd=`insert into Table (field,field,field) 值('somethinguseful','@@Comments','more stuff')

执行(@cmd)

这有两个问题。

  1. 你没有翻译@@Comments
  2. 你容易注射。

使用类似的东西:

执行 sp_executesql N'insert into Table (field,field,field) 值 (@var1,@var2,@var3)' ,N'@var1 varchar(256)' , @var1=@Comments ...

于 2012-05-23T18:14:22.753 回答