Working with datetime with dynamic query in SQL Server

后端 未结 7 2825
野性不改
野性不改 2021-02-20 11:56

I am using a dynamic query wherein I want to use the variable which holds the datetime, whenever I execute the query it says cannot convert datetime from string, when I cast tha

7条回答
  •  失恋的感觉
    2021-02-20 12:17

    You should not concatenate your parameter values like this. The best solution is to use a parameterized query with sp_executesql.

    DECLARE @sql nvarchar(4000)
    
    select @sql = N'
      SELECT B.FacId 
           , B.FacName
           , B.BookCode
           , B.BookName
           , B.Quantity
           , CONVERT(VARCHAR(10), B.TillDate, 104) AS TILLDATE 
        FROM ' + quotename(@TABLE) + N' B
       WHERE B.TillDate BETWEEN cast(floor(cast(@fromDate as float)) as datetime)
                            AND cast(floor(cast(@toDate as float)) as datetime)'
    
    EXEC sp_executesql @sql, N'@fromDate datetime, @toDate datetime', @FROMDATE, @TODATE
    

    Things to note about sp_executesql are:

    • The parameters are NVARCHAR values
    • The 3rd and 4th parameter keep their original datatype and do not need to be converted to a varchar. This again protects agains SQL Injection and it makes the query more readable as you prevent the quote soup which is so common in Dynamic SQL

    Some additional changes were applied to the query:

    • The table name is wrapped in the QUOTENAME() function which protects against sql injection on the object name
    • The way the date part of the datetime variables is removed is not very optimal. Doing a convert(,,101) is an expensive operation which can better be done using the casting to float and taking floor of that value.

提交回复
热议问题