I want to write a safe simple stored procedure which will select some columns from database table based on some parameters given to stored procedure.
I have tried two ways of writing the stored procedure.
1st way as:
CREATE PROCEDURE SPBasic
#id int,
#value int
AS
BEGIN
SELECT Id, name, design
FROM SimpleTable
WHERE ID = #id AND value = #value;
END
GO
2nd way as:
CREATE PROCEDURE SPBasic
#id int,
#value int
AS
BEGIN
DECLARE #sql NVARCHAR(MAX);
SET #sql = N'SELECT Id, name, design FROM SimpleTable
WHERE ID = #id AND value = #value';
EXEC sp_executesql #sql, N'#id int, #value int', #id,#value;
END
GO
For both the cases I run the script as:
DECLARE #return_value int
EXEC #return_value = SPBasic
#id = N'11',
#value = 1;drop table test
SELECT 'Return Value' = #return_value
And in both the cases the temporary table test which I created for test purpose is getting deleted.
So, I would like to know what could be the safe code for this purpose?
Since both your stored procedures take integer parameters, there is no possibility of an SQL injection attack. If the 2nd procedure took a string ( varchar ) parameter, then an SQL injection attack would be a possibility.
I have this stored procedure in Microsoft SQL Server:
CREATE PROCEDURE display_user_name
#userID INT,
#user_name VARCHAR(250) OUTPUT
AS
SET NOCOUNT ON;
SELECT #user_name = first_name +' '+ last_name
FROM User_Table
WHERE userID = #userID;
RETURN #user_name
GO
and I get this error
Conversion failed when converting the varchar value 'john1 doe1' to data type int.
When I run the stored procedure, I see that it creates a variable #return_value and it declares it as INT, this is the code that is generated when I right click and run the stored procedure
DECLARE #return_value INT,
#user_name VARCHAR(250)
EXEC #return_value = [dbo].[display_user_name]
#userID = 1,
#user_name = #user_name OUTPUT
SELECT #user_name as N'#user_name'
SELECT 'Return Value' = #return_value
GO
How will I need to modify my original stored procedure so I don't get this error?
Thanks for the help.
I have a stored procedure. I wanted to append the parameters to get all data from a specific table (e.g. tblJanuary2014). But the formatting is (probably) incorrect?
ALTER PROCEDURE GetReportAsOf
(
#Month varchar(15),
#Year varchar(15)
)
AS
BEGIN
SELECT * FROM tbl#Month#Year
RETURN
END
During execution it says:
Invalid object name 'tbl#Month#Year'
You should create dynamic sql on this.
ALTER PROCEDURE GetReportAsOf
(
#Month varchar(15),
#Year varchar(15)
)
AS
BEGIN
DECLARE #SQLQuery AS NVARCHAR(500)
SET #SQLQuery = 'SELECT * FROM tbl' + #Month + #Year
EXECUTE(#SQLQuery)
RETURN
END
I have a stored procedure where I am taking all the input parameter values and then within that stored procedure I am running another stored procedure where I need to set a variable value.
I am not sure how to set a variable of child stored procedure using parent stored procedure. Also, output of parent stored procedure is not the input of child stored procedure.
CREATE PROCEDURE [dbo].[usp_aStoredProcedure_1]
#sp1_var char(12),
#sp1_var char(12),
#sp1_var char(12),
...
#sp2_var char(20)
AS
CREATE TABLE #aTemp_tbl
(
col1 char(20)
)
CREATE TABLE #Results_tbl
(
col1 char(20),
val1 char(12)
)
IF #val1 IS NOT NULL
BEGIN
DELETE FROM #aTemp_tbl
INSERT INTO #aTemp_tbl EXEC usp_aStoredProcedure_2 #val1 /* this stored procedure requires #sp2_var value, how can I assign it within this usp_aStoredProcedure_1 stored procedure?*/
IF NOT EXISTS (SELECT * FROM #aTemp_tbl)
INSERT INTO #Results_tbl SELECT NULL, #val1
ELSE
INSERT INTO #Results_tbl SELECT col1 , #val1 FROM #aTemp_tbl
END
Pass value to child stored procedure like you are doing for parent stored procedure...
You can't directly set a variable of child stored procedure from parent stored procedure. You must use the parameters of child procedure for that.
See example below:
-- child procedure
create procedure p1
#param1 varchar(4),
#param2 varchar(4)
as
begin
select #param1 + #param2;
end;
-- parent procedure
create procedure p2
#param1 varchar(2),
#param2 varchar(2)
as
begin
declare
#param3 varchar(4),
#param4 varchar(4);
select
#param3 = #param1 + '_x',
#param4 = #param2 + '_x'
-- setting parameters of child stored procedure using parent stored procedure
exec p1 #param3, #param4;
end;
-- call parent procedure
exec p2 '1', '2'
I have a stored procedure that I am trying to test. I am trying to test it through SQL Management Studio. In order to run this test I enter ...
exec my_stored_procedure 'param1Value', 'param2Value'
The final parameter is an output parameter. However, I do not know how to test a stored procedure with output parameters.
How do I run a stored procedure with an output parameter?
The easy way is to right-click on the procedure in Sql Server Management Studio (SSMS), select 'Execute stored procedure..." and add values for the input parameters as prompted. SSMS will then generate the code to run the procedure in a new query window, and execute it for you. You can study the generated code to see how it is done.
you can do this :
declare #rowCount int
exec yourStoredProcedureName #outputparameterspOf = #rowCount output
Return val from procedure
ALTER PROCEDURE testme #input VARCHAR(10),
#output VARCHAR(20) output
AS
BEGIN
IF #input >= '1'
BEGIN
SET #output = 'i am back';
RETURN;
END
END
DECLARE #get VARCHAR(20);
EXEC testme
'1',
#get output
SELECT #get
Check this, where the first two parameters are input parameters and the 3rd is an Output parameter in the Procedure definition.
DECLARE #PK_Code INT;
EXEC USP_Validate_Login 'ID', 'PWD', #PK_Code OUTPUT
SELECT #PK_Code
Procedure Example :
Create Procedure [dbo].[test]
#Name varchar(100),
#ID int Output
As
Begin
SELECT #ID = UserID from tbl_UserMaster where Name = #Name
Return;
END
How to call this procedure
Declare #ID int
EXECUTE [dbo].[test] 'Abhishek',#ID OUTPUT
PRINT #ID
From https://learn.microsoft.com/en-US/sql/relational-databases/system-stored-procedures/sp-executesql-transact-sql (originally http://support.microsoft.com/kb/262499)
CREATE PROCEDURE Myproc
#parm varchar(10),
**#parm1OUT varchar(30) OUTPUT**,
**#parm2OUT varchar(30) OUTPUT**
AS
SELECT #parm1OUT='parm 1' + #parm
SELECT #parm2OUT='parm 2' + #parm
GO
DECLARE #SQLString NVARCHAR(500)
DECLARE #ParmDefinition NVARCHAR(500)
DECLARE #parmIN VARCHAR(10)
DECLARE #parmRET1 VARCHAR(30)
DECLARE #parmRET2 VARCHAR(30)
SET #parmIN=' returned'
SET #SQLString=N'EXEC Myproc #parm,
#parm1OUT OUTPUT, #parm2OUT OUTPUT'
SET #ParmDefinition=N'#parm varchar(10),
#parm1OUT varchar(30) OUTPUT,
#parm2OUT varchar(30) OUTPUT'
EXECUTE sp_executesql
#SQLString,
#ParmDefinition,
#parm=#parmIN,
#parm1OUT=#parmRET1 OUTPUT,#parm2OUT=#parmRET2 OUTPUT
SELECT #parmRET1 AS "parameter 1", #parmRET2 AS "parameter 2"
GO
DROP PROCEDURE Myproc
First, declare the output variable:
DECLARE #MyOutputParameter INT;
Then, execute the stored procedure, and you can do it without parameter's names, like this:
EXEC my_stored_procedure 'param1Value', #MyOutputParameter OUTPUT
or with parameter's names:
EXEC my_stored_procedure #param1 = 'param1Value', #myoutput = #MyOutputParameter OUTPUT
And finally, you can see the output result by doing a SELECT:
SELECT #MyOutputParameter
With this query you can execute any stored procedure (with or without an output parameter):
DECLARE #temp varchar(100)
EXEC my_sp
#parameter1 = 1,
#parameter2 = 2,
#parameter3 = #temp output,
#parameter4 = 3,
#parameter5 = 4
PRINT #temp
Here the datatype of #temp should be the same as #parameter3 within your Stored Procedure.
How about this? It's extremely simplified:
The SPROC below has an output parameter of #ParentProductID
We want to select the value of the output of #ParentProductID into #MyParentProductID which is declared below.
Here's the Code:
declare #MyParentProductID int
exec p_CheckSplitProduct #ProductId = 4077, #ParentProductID = #MyParentProductID output
select #MyParentProductID
Try this; it's working fine for the multiple output parameter:
CREATE PROCEDURE [endicia].[credentialLookup]
#accountNumber varchar(20),
#login varchar(20) output,
#password varchar(50) output
AS
BEGIN
SET NOCOUNT ON;
SELECT top 1 #login = [carrierLogin],#password = [carrierPassword]
FROM [carrier_account] where carrierLogin = #accountNumber
order by clientId, id
END
Try for the result:
SELECT *FROM [carrier_account]
DECLARE #login varchar(20),#password varchar(50)
exec [endicia].[credentialLookup] '588251',#login OUTPUT,#password OUTPUT
SELECT 'login'=#login,'password'=#password
CREATE PROCEDURE DBO.MY_STORED_PROCEDURE
(#PARAM1VALUE INT,
#PARAM2VALUE INT,
#OUTPARAM VARCHAR(20) OUT)
AS
BEGIN
SELECT * FROM DBO.PARAMTABLENAME WHERE PARAM1VALUE=#PARAM1VALUE
END
DECLARE #OUTPARAM2 VARCHAR(20)
EXEC DBO.MY_STORED_PROCEDURE 1,#OUTPARAM2 OUT
PRINT #OUTPARAM2
Here is the stored procedure
create procedure sp1
(
#id as int,
#name as nvarchar(20) out
)
as
begin
select #name=name from employee where id=#id
end
And here is the way to execute the procedure
declare #name1 nvarchar(10)
exec sp1 1,#name1 out
print #name1
Please check below example to get output variable value by executing a stored procedure.
DECLARE #return_value int,
#Ouput1 int,
#Ouput2 int,
#Ouput3 int
EXEC #return_value = 'Your Sp Name'
#Param1 = value1,
#Ouput1 = #Ouput1 OUTPUT,
#Ouput2 = #Ouput2 OUTPUT,
#Ouput3 = #Ouput3 OUTPUT
SELECT #Ouput1 as N'#Ouput1',
#Ouput2 as N'#Ouput2',
#Ouput3 as N'#Ouput3'
Here is the definition of the stored_proc:
create proc product(#a int,#b int)
as
return #a * #b
And, this is executing it from Python:
conn = pyodbc.connect('...')
cursor = conn.cursor()
sql = """
SET NOCOUNT ON
declare #r float
exec #r=dbo.product 5,4
select #r
"""
result = cursor.execute(sql)
print (result.fetchall())