I have written a stored procedure which fetch data from table using pagination. I used the ROW_NUMBER function.
Here is my stored procedure code:
ALTER PROCEDURE USP_GetLastCSMSavedData
(@Ticker VARCHAR(10)=NULL,
@ClientName VARCHAR(10)=NULL,
@LastCSMDate Datetime=NULL,
@PageIndex INT = 1,
@PageSize INT = 10)
AS
BEGIN
DECLARE @SQL VARCHAR(MAX)
DECLARE @offset INT
SET @offset = (@PageIndex - 1) * @PageSize
SET @SQL = 'SELECT * FROM (SELECT
CAST(ROW_NUMBER() OVER (ORDER BY LastCSMDeliveredDate DESC) AS INT) AS ''RowNumber'',
ID,
Ticker,
c.ClientName,
Earnings,
PrePost,
IIF([QC-ViewAllContent] IS NULL,0,1) HasViewAllContent,
IIF([QCCommentsContent] IS NULL,0,1) HasQCCommentsContent,
InsertedOn,
LastCSMDeliveredDate,
Action,
UserName
from tblLastCSMDelivered csm JOIN tblClient c
ON csm.ClientCode=c.ClientCode
WHERE LastCSMDeliveredDate IS NOT NULL) X
WHERE CAST(X.RowNumber AS INT)>='+@offset+' AND CAST(X.RowNumber AS INT)<'+(@offset+@PageSize)
IF @Ticker IS NOT NULL
BEGIN
SET @SQL=@SQL+' AND X.Ticker='+@Ticker
END
IF @ClientName IS NOT NULL
BEGIN
SET @SQL=@SQL+' AND X.ClientName='+@ClientName
END
IF @LastCSMDate IS NOT NULL
BEGIN
SET @SQL=@SQL+' AND CONVERT(VARCHAR,X.LastCSMDeliveredDate,112)=CONVERT(VARCHAR,'+@LastCSMDate+',112)'
END
--EXEC @SQL
PRINT @SQL
END
I assume for this line
WHERE CAST(X.RowNumber AS INT)>='+@offset+' AND CAST(X.RowNumber AS INT)<'+(@offset+@PageSize)
I am getting a runtime error
Msg 245, Level 16, State 1, Procedure USP_GetLastCSMSavedData, Line 16 [Batch Start Line 20]
Conversion failed when converting the varchar value
Please tell me what I have missed in my code. Thanks
N'...CAST(X.RowNumber AS INT)>='+@offset+N'...'isn't parametrising, it's injecting; it's 2021 SQL injection should have died like the Black Plague by now yet it's still alive and well in your code. But, again, why are you using dynamic SQL when the statement doesn't need to be dynamic?