0

我在 aspx 第一个页面中有两个用于位置和供应商的下拉菜单。根据在位置下拉列表中选择的值,供应商下拉列表必须填充...我正在尝试与位置名称绑定

地点:

                <asp:DropDownList ID="ddlAllLocations" runat="server" DataSourceID="SqlDataSourceBusinessLocations"
                    DataTextField="Location_Name" DataValueField="Location_ID" AutoPostBack="True"  AppendDataBoundItems="True">
   <asp:ListItem value="" selected="True">

供应商:

<asp:SqlDataSource ID="SqlDataSourceAllVendors" runat="server" ConnectionString="<%$ ConnectionStrings:xxxxx %>"
        ProviderName="<%$ ConnectionStrings:xxxxx.ProviderName %>" SelectCommand="GetAllVendorsForBUforLocation"
        SelectCommandType="StoredProcedure">
       <SelectParameters>
            <asp:SessionParameter Name="userBUIds" SessionField="BusinessUnitIds" Size="200"
                Type="String" />

             <asp:ControlParameter ControlID="ddlAllLocations" Name="LOCATION_ID" PropertyName="SelectedValue"
                Type="String" />
        </SelectParameters>

    </asp:SqlDataSource>

我的存储过程是

-- =============================================
ALTER PROCEDURE [dbo].[GetAllVendorsForBUforLocation]
    @userBUIds varchar(200),
    @LOCATION_ID int
AS
DECLARE @sql NVARCHAR(4000)   
BEGIN
    set @sql='SELECT DISTINCT tblVendor_Payees.PayeeID, RTRIM(ISNULL(a.Name1_Last, '''')) + '' '' + ISNULL(a.Name1_First, '''') AS VendorName, tblVendor_Business.BusinessID FROM tblVendor_Payees AS a left JOIN tblFields AS f ON a.PayeeID = f.VendorID INNER JOIN tblVendor_Business ON a.PayeeID = tblVendor_Business.PayeeID INNER JOIN INVENTORY.TBL_LOCATION  on INVENTORY.TBL_LOCATION.BusinessID = tblVendor_Business.BusinessID WHERE (a.VendorType = 1) AND (tblVendor_Business.BusinessID = '+cast(@userBUIds as varchar(50))+' and INVENTORY.TBL_LOCATION.LOCATION_ID = '+cast(@LOCATION_ID as int)+') ORDER BY VendorName'
 exec sp_executeSQL @sql 
END

我收到此错误:

转换 varchar 值时转换失败 'SELECT DISTINCT tblVendor_Payees.PayeeID, RTRIM(ISNULL(a.Name1_Last, '')) + ' ' + ISNULL(a.Name1_First, '') AS VendorName, tblVendor_Business.BusinessID FROM tblVendor_Payees AS a left JOIN tblFields AS f ON a.PayeeID = f.VendorID INNER JOIN tblVendor_Business ON a.PayeeID = tblVendor_Business.PayeeID INNER JOIN INVENTORY.TBL_LOCATION on INVENTORY.TBL_LOCATION.BusinessID = tblVendor_Business.BusinessID WHERE (a.VendorType = 1) AND (tblVendor_Business. BusinessID = 2 和 INVENTORY.TBL_LOCATION.LOCATION_ID = ' 到数据类型 int

4

1 回答 1

1

您收到错误消息是因为您尝试将整数添加到字符串中。由于int具有比 更高的优先级varchar,SQL 将尝试将 转换varcharint. 由于varchar不包含有效整数,因此此转换将失败。

更重要的是,通过在存储过程中使用字符串连接和动态 SQL,您对SQL 注入敞开了大门。您的查询甚至没有做任何复杂到足以证明动态 SQL 的事情!

如果您迫切希望保留动态 SQL,请使用以下参数化版本sp_executesql

set @sql = N'SELECT DISTINCT 
tblVendor_Payees.PayeeID, 
RTRIM(ISNULL(a.Name1_Last, '''')) + '' '' + ISNULL(a.Name1_First, '''') AS VendorName, 
tblVendor_Business.BusinessID 
FROM tblVendor_Payees AS a left 
JOIN tblFields AS f ON a.PayeeID = f.VendorID 
INNER JOIN tblVendor_Business ON a.PayeeID = tblVendor_Business.PayeeID 
INNER JOIN INVENTORY.TBL_LOCATION  on INVENTORY.TBL_LOCATION.BusinessID = tblVendor_Business.BusinessID 
WHERE (a.VendorType = 1) 
AND (tblVendor_Business.BusinessID = @userBUIds 
and INVENTORY.TBL_LOCATION.LOCATION_ID = @LOCATION_ID) 
ORDER BY VendorName'

exec sp_executeSQL 
   @stmt = @sql, 
   N'@userBUIds varchar(200), @LOCATION_ID int',
   @userBUIds = @userBUIds,
   @LOCATION_ID = @LOCATION_ID

否则,跳过动态 SQL,直接执行查询。

于 2013-04-03T16:33:22.677 回答