0

Is there a way that I can Update records from the database where the logical condition for example is supplied by the user in the parameter?

I want to update the salesperson where invoice date for example is greater than "11/13/17". But in this case the user will be the one supplying the logical operator on the parameter. I create a stored procedure with the following code:

UPDATE inv_hdr_mst
    SET slsman = @SalesPerson
    WHERE cust_num = @Customer AND **inv_date = @Invoice**

enter image description here

Here is the copy of my stored procedure:

ALTER PROCEDURE TMA_UpdateSalesPersonSp

    -- Add the parameters for the stored procedure here

    @Invoice InvNumType,
    @Salesperson SlsmanType,
    @Customer   CustNumType

AS

BEGIN

    DECLARE @upd_sql nvarchar(1000)

    BEGIN

        set @upd_sql = 
            '
                 UPDATE inv_hdr_mst_all
                  SET slsman = ''' + @salesperson + '''
                  WHERE cust_num = ''' + @customer + ''' AND inv_date ' + @invoice + '
             '

            print @upd_sql



    END

exec (@upd_sql);



END
tarheel
  • 4,727
  • 9
  • 39
  • 52
Erick C.
  • 3
  • 2
  • if you want greater than 11/13/17 why not put that in your stored procedure rather than the parameter?? AND inv_date >=@invoice_date – Harry Nov 03 '17 at 01:24
  • Hi Harry thanks for your reply. The reason I want to put it in the parameter is to make it somehow flexible. For example is I want to update a different record which is less than the invoice date, the user can put it in the parameter instead of the code. I just hoping if there is a way. – Erick C. Nov 03 '17 at 01:28
  • Use dynamic sql instead. this way you can let your user specify if the date is >, < or =... – Ilyes Nov 03 '17 at 01:29
  • Thanks @Sami it make sense :) But how can I implement it when I will be supplying the logical operator on the parameter? – Erick C. Nov 03 '17 at 01:34

1 Answers1

0

Dynamic SQL will allow you to have the user specify the logical operator at run-time. The @invoice variable will do the trick.

declare @invoice nvarchar(1000)
    , @salesperson nvarchar(100)
    , @customer nvarchar(100)
    , @upd_sql nvarchar(1000)

set @invoice = '> ''11/3/2017'''
set @customer = 'STARTR'
set @salesperson = 'MAY'

set @upd_sql = 
    '
        UPDATE inv_hdr_mst
        SET slsman = ''' + @salesperson + '''
        WHERE cust_num = ''' + @customer + ''' AND inv_date ' + @invoice + ' 
    '

print @upd_sql

exec (@upd_sql);
tarheel
  • 4,727
  • 9
  • 39
  • 52
  • Hi tarheel Thanks for your reply. But no rows are affected when I tried to execute my stored procedure as it seems there is a missing quotation. This is how I execute my stored procedure: EXEC TMA_UpdateSalesPersonSp '<11/15/2012', 'MAY', 'STARTR' – Erick C. Nov 03 '17 at 02:04
  • @ErickC. is `print @upd_sql` return the right query? – Ilyes Nov 03 '17 at 02:07
  • @ErickC. That is because the `'<11/5/2012'` parameter didn't escape the quote. (https://stackoverflow.com/questions/1586560/how-do-i-escape-a-single-quote-in-sql-server) Those seemingly innocuous quotes (`'`) around the date in the `@invoice` parameter are in fact serving a purpose. – tarheel Nov 03 '17 at 02:08
  • @tarheel yes it returns the query but the single quote on the invoice date was not appearing. I tried to declare the table similar to the link you gave me but there is an error. Please help. ,@inv_hdr_mst_all TABLE ( [value] VARCHAR(200) ) – Erick C. Nov 03 '17 at 02:29
  • @ErickC. That linked question was only for reference if you had never heard the phrase "escape the quote". Don't need to change how your table is being declared at all. Just call the procedure like this `EXEC TMA_UpdateSalesPersonSp '<''11/15/2012''', 'MAY', 'STARTR'`. Just as a word of caution, I would make sure to put some handling on the possible values of the parameters, because you don't want to have a case of Bobby Tables (https://xkcd.com/327/). – tarheel Nov 03 '17 at 03:03
  • @tarheel sorry for being a nuisance but I received an error message. Msg 105, Level 15, State 1, Line 4 Unclosed quotation mark after the character string '11/15/2012 '. Msg 102, Level 15, State 1, Line 4 Incorrect syntax near '11/15/2012 – Erick C. Nov 03 '17 at 03:13
  • @ErickC. Based on the error message, I would bet its surrounding the same escaping the quote issue, but I would have to see the whole procedure to help further. Can you post that as an update in the question? – tarheel Nov 03 '17 at 03:15
  • @tarheel I just added the code on my stored procedure. Thank you in advance :) – Erick C. Nov 03 '17 at 05:49
  • @ErickC. It looks like the user-defined data types (`InvNumType`,`SlsmanType`,`CustNumType`) may be the issue. If you change them to `nvarchar(1000)` the update statement produced (`update inv_hdr_mst_all set slsman = 'MAY' where cust_num = 'STARTR' AND inv_date <'11/15/2012'`) is valid.You'd have to get details on those to better understand the behavior of the quotes. – tarheel Nov 03 '17 at 13:46
  • I'm sure that, in the real world, you intend to wrap that user-supplied input to protect it against SQL injection, right? – underscore_d Nov 03 '17 at 13:56