Escape sproc Parameters
Posted by:
John Noble
Date: November 23, 2020 03:46AM
Hi folks,
I have a problem when a parameter has an apostrophe in it. Im not sure if I should handle it in the sproc or handle it before it gets sent to the sproc.
If any of the varchar parameters has an ' it just crashes.
Any ideas ??
CREATE DEFINER=`root`@`%` PROCEDURE `usp_BoatsUpdate`(
IN p_pKey int(10),
IN p_bCode varchar(6),
IN p_name varchar(20),
IN p_engine varchar(29),
IN p_HP int(10),
IN p_length decimal(10,2),
IN p_companyID varchar(4)
)
BEGIN
DECLARE vUPDATE varchar(1000) default "";
DECLARE vTableName varchar(4) default "";
SET @vTableName = CONCAT(p_companyID, "boats");
START TRANSACTION;
SET @vUPDATE = CONCAT("UPDATE ", @vTableName, " SET bCode = '", p_bCode, "'",
", name = '", p_name, "'",
", engine = '", p_engine, "'",
", HP = '", p_HP, "'",
", length = '", p_length, "'"
" WHERE pKey = '", p_pKey, "'");
PREPARE stmt FROM @vUPDATE;
EXECUTE stmt;
COMMIT;
END