Reading SQL error messages and sp_executeSQL

"Procedure expects parameter '@statement' of type 'ntext/nchar/nvarchar'."

A few days ago, I ran into the error mentioned above. sp_executeSQL requires that the first two parameters (statement and parameter declaration) be of type ntext, nchar or nvarchar

http://dotnetjunkies.com/WebLog/richard.dudley/archive/2004/09/29/27169.aspx

When I ran into this error, I copied the error message and googled (so much for the "googler stereotype") right away. Only to later realize that if I had read the error message well, I should have easily determine the cause. I was passing an argument to the stored procedure so I thought it was weird that it was still looking for one. I thought it was one of those weird errors and jumped right into that conclusion. I do pay attention to details but there are just those days that you still fail to do so. So just a debugging reminder, read the error message before you google.

*** sp_executeSQL is a stored procedure which is best used for dynamic SQL queries. One of it's popular use is to prevent SQL injection. I'm thinking of posting an entry on sql injection but there are a lot of articles out there that likely explains more clearly and interesting that my explanation would be so probably next time. Know though that stored procedures doesn't guarantee full protection from SQL injection especially if you still concatenate inside your stored procedures. And for that (plus other cases where you really need dynamic queries) have a look at sp_executeSQL.


Posted

in

by

Tags: