I have example code query store procedure in sql server from internet like this
CREATE PROCEDURE `usp_UpdateStudent` (#tblStudent XML)
BEGIN
SET NOCOUNT ON;
INSERT INTO Student(StudentId,StudentName)
SELECT Student.value('(StudentId)[1]', 'nvarchar(100)') as StudentId,
Student.value('(StudentName)[1]', 'nvarchar(100)') as StudentName
FROM
#tblStudent.nodes('/ArrayOfStudent/Student')AS TEMPTABLE(Student)
END
i am just wondering if is there any way to create this sp in mysql, because when i search it is dominant with sql server. i try to create it in mysql but got error in paramater XML. Here is my store procedure in mysql with param XML
DELIMITER $$
CREATE PROCEDURE get_test(IN param XML)
BEGIN
SELECT *
FROM master_course
END$$
DELIMITER ;
Related
Consider the following stored procedure and its usage:
DROP PROCEDURE IF EXISTS ShowMIHoles;
DELIMITER $$
CREATE PROCEDURE ShowMIHoles(IN CourseID VARCHAR(255))
BEGIN
select * from tblcourses where id=CourseID;
END $$
DELIMITER ;
call ShowMIHoles(1299)
That works, and returns the row of table tblcourses with id 1299.
However, it isn't protected from SQL injection.
So, I read that quote() should be used to make a value safe.
This is my attempt to use quote:
DROP PROCEDURE IF EXISTS ShowMIHoles;
DELIMITER $$
CREATE PROCEDURE ShowMIHoles(IN CourseID VARCHAR(255))
BEGIN
select * from tblcourses where id=quote(CourseID);
END $$
DELIMITER ;
call ShowMIHoles(1299)
That results in "0 rows returned". No error message. MySQL 5.7.28.
I tried various tests to see what was going wrong. The ones that don't use CourseID parameter, I tested both inside procedure, and as a stand-alone query.
select quote(1299);
=> '1299'
select * from tblcourses where id='1299';
=> The expected row with id 1299.
select * from tblcourses where id=quote(1299);
=> 0 rows returned.
It is possible to make this work, via prepared statement:
...
BEGIN
SET #sql = CONCAT('select * from tblcourses where id=', quote(CourseID));
prepare stmt from #sql;
execute stmt;
END $$
...
=> The expected row with id 1299.
Question:
Is there any way to safely use this parameter as an expression value in the where clause, without dynamically preparing a statement?
You do not need to worry about SQL injection inside a stored procedure unless you are using dynamic SQL. Strings will always be treated like whole string and numbers as numbers.
So, the first version you are showing is perfectly fine. Just make sure that when you call the procedure, your code is safe.
I'm trying to call a stored procedure from another stored procedure and store the value in a variable. The inner stored procedure basically checks if something exists and uses a select statement to return a zero or one. I keep getting an error. In this situation, MySQL is saying "=" is not valid at this position, expecting ";"
CREATE PROCEDURE `CardNames_Add` (searchedCard VARCHAR(50))
BEGIN
DECLARE exist TINYINT;
EXECUTE exist = CardNames_CheckExist searchedCard
IF (exist = 0)
INSERT INTO card_names (name)
VALUE(searchedCard)
END
You have to rewrite you other stored procedure, that you don't need btw, to give back a result
CREATE PROCEDURE CardNames_CheckExist (IN searchedCard VARCHAR(50), OUT result TINYINT )
BEGIN
--do some stuzff
result = 1
END
CREATE PROCEDURE `CardNames_Add` (searchedCard VARCHAR(50))
BEGIN
CALL CardNames_CheckExist(searchedCard,#result);
IF (#result = 0) THEN
INSERT INTO card_names (name)
VALUES (searchedCard);
END IF;
END
I Have created a simple procedure:
CREATE PROCEDURE `simpleProcedure` ( IN `parameter` INT) NOT DETERMINISTIC READS SQL DATA SQL SECURITY DEFINER
BEGIN
SELECT *
FROM table1;
END
Running this procedure using CALL simpleProcedure(1) in phpMyAdmin does not show the result of the query... How do I make phpMyAdmin show the result of the query inside the procedure?
You need an OUT parameter for it to return results, see http://dev.mysql.com/doc/refman/5.0/en/create-procedure.html.
Example from the sakila database:
DELIMITER $$
CREATE DEFINER=`root`#`127.0.0.1` PROCEDURE `film_in_stock`(IN p_film_id INT, IN p_store_id INT, OUT p_film_count INT)
READS SQL DATA
BEGIN
SELECT inventory_id
FROM inventory
WHERE film_id = p_film_id
AND store_id = p_store_id
AND inventory_in_stock(inventory_id);
SELECT FOUND_ROWS() INTO p_film_count;
END$$
I want to be able to pass arguments to stored procedure, so I searched the net and encountered something like this:
DELIMITER $$
CREATE PROCEDURE addTmpUser
#id varchar(10)
AS
BEGIN
//some sql code
END$$
DELIMITER ;
The problem is that I am getting a syntax error for the # character.
Note: I am using MySQL db.
You are mixing variable types.
#variable is a user variable with a scope for the entire connection.
The variables in stored procedures look different, they don't have the # before them.
Also, you need to declare them. Here is an example
DELIMITER $$
CREATE PROCEDURE addTmpUser(p_id varchar(10))
-- the variable is named p_id as a nameing convention.
-- It is easy for variables to be mixed up with column names otherwise.
BEGIN
DECLARE innerVariable int;
insert into user (id) values (p_id);
-- return all users
select * from user;
END$$
DELIMITER ;
-- and now call it
call addTmpUser(10);
You need to use IN,OUT,INOUT to specify the parameter. So you can try this
DELIMITER $$
CREATE PROCEDURE addTmpUser (IN id VARCHAR(10))
BEGIN
//some sql code
END$$
DELIMITER ;
Look at the documentation
I am trying to make a stored procedure using mySQL. This procedure will validate a username and a password. I'm currently running mySQL 5.0.32 so it should be possible to create procedures.
Heres the code I've used. All I get is an SQL syntax error.
GO
CREATE PROCEDURE checkUser
(IN #brugernavn varchar(64)),IN #password varchar(64))
BEGIN
SELECT COUNT(*) FROM bruger WHERE bruger.brugernavn=#brugernavn AND bruger.pass=#Password;
END;
Thank you in advance
I figured it out now. Here's the correct answer
CREATE PROCEDURE checkUser
(
brugernavn1 varchar(64),
password varchar(64)
)
BEGIN
SELECT COUNT(*) FROM bruger
WHERE bruger.brugernavn=brugernavn1
AND bruger.pass=password;
END;
# points to a global var in mysql. The above syntax is correct.
(IN #brugernavn varchar(64)**)**,IN #password varchar(64))
The problem is the )
Its very easy to create procedure in Mysql. Here, in my example I am going to create a procedure which is responsible to fetch all data from student table according to supplied name.
DELIMITER //
CREATE PROCEDURE getStudentInfo(IN s_name VARCHAR(64))
BEGIN
SELECT * FROM student_database.student s where s.sname = s_name;
END//
DELIMITER;
In the above example ,database and table names are student_database and student respectively.
Note: Instead of s_name, you can also pass #s_name as global variable.
How to call procedure?
Well! its very easy, simply you can call procedure by hitting this command
$mysql> CAll getStudentInfo('pass_required_name');