接昨日的DNN中的数据表安装文件错误问题。

昨日我发现自己从sqlServer中导出的数据库安装文件在DNN中的模块的安装过程中会出错，今天打开了SqlServer的数据探查器跟踪发现，我原来的代码（如下），经DNN执行后会因为DNN防SQL注入而改变，不知会不会是DNN中的一个小Bug.

CREATE PROCEDURE {databaseOwner}{objectQualifier}gdlmo_ArticleAdd
    @CategoryID int,
    @Title nvarchar(255),
    @CreatedDate smalldatetime,
    @CreatedByUser nvarchar(100),
    @CopyFrom nvarchar(255),
    @Author nvarchar(255),
    @Hits int,
    @IsPassed bit,
    @IP nvarchar(50),
    @DeptName nvarchar(100),
    @Summary nvarchar(2000),
    @ArticleNames nvarchar (2000)
AS

DECLARE @ArticleId int
BEGIN
    INSERT INTO gdlmo_Article (
        [CategoryID],
        [Title],
        [CreatedDate],
        [CreatedByUser],
        [CopyFrom],
        [Author],
        [Hits],
        [IsPassed],
        [IP],
        [DeptName],
        [Summary]
    ) VALUES (
        @CategoryID,
        @Title,
        @CreatedDate,
        @CreatedByUser,
        @CopyFrom,
        @Author,
        @Hits,
        @IsPassed,
        @IP,
        @DeptName,
        @Summary
    )

    SELECT @ArticleId = SCOPE_IDENTITY()
END

BEGIN
    DECLARE @strSql varchar(1000)

    SET @strsql = 'insert into gdlmo_article_accesory(articleid,articlename) '
    SET @strsql = @strsql + ' select ' + str(@ArticleId) + ',* from {databaseOwner}{objectQualifier}f_splitstr('''+ @ArticleNames + ''','';'')'   
    EXEC (@strsql) 
END
SELECT @ArticleId

GO

下面是在SQL的事件探查器中的代码

CREATE PROCEDURE dbo.gdlmo_ArticleAdd
    @CategoryID int,
    @Title nvarchar(255),
    @CreatedDate smalldatetime,
    @CreatedByUser nvarchar(100),
    @CopyFrom nvarchar(255),
    @Author nvarchar(255),
    @Hits int,
    @IsPassed bit,
    @IP nvarchar(50),
    @DeptName nvarchar(100),
    @Summary nvarchar(2000),
    @ArticleNames nvarchar (2000)
AS

DECLARE @ArticleId int
BEGIN
    INSERT INTO gdlmo_Article (
        [CategoryID],
        [Title],
        [CreatedDate],
        [CreatedByUser],
        [CopyFrom],
        [Author],
        [Hits],
        [IsPassed],
        [IP],
        [DeptName],
        [Summary]
    ) VALUES (
        @CategoryID,
        @Title,
        @CreatedDate,
        @CreatedByUser,
        @CopyFrom,
        @Author,
        @Hits,
        @IsPassed,
        @IP,
        @DeptName,
        @Summary
    )

    SELECT @ArticleId = SCOPE_IDENTITY()
END

BEGIN
    DECLARE @strSql varchar(1000)

    SET @strsql = ''insert into gdlmo_article_accesory(articleid,articlename) ''
    SET @strsql = @strsql  '' select ''  str(@ArticleId)  '',* from dbo.f_splitstr('''''' @ArticleNames  '''''','''';'''')''   
    EXEC (@strsql) 
END
SELECT @ArticleId

代码中的“'”变为了“''”，“+”也被去掉了

Technorati Tags: DotnetNuke, DNN, .net