[thelist] simple query building question

Ken Schaefer Ken at adOpenStatic.com
Wed Aug 10 19:34:04 CDT 2005


Also, in addition to Peter's comments, this type of code is open to SQL
Injection attack (which has been discussed many times on this list)

Why aren't you using parameter objects?

Cheers
Ken

--
www.adOpenStatic.com/cs/blogs/ken/ 

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Peter Brunone (EasyListBox.com)
: Sent: Thursday, 11 August 2005 5:41 AM
: To: caseyc at thecrookstons.com; thelist at lists.evolt.org;
: thelist at lists.evolt.org
: Subject: re: [thelist] simple query building question
: 
: 
:    Linguistic nitpick:  it's not a webmatrix datagrid, it's an ASP.NET
: datagrid :)
: 
:    Are you assigning this property in the tag itself?  I don't think it'll
: work that way.  Try abstracting this out the Page_Load subroutine, like
: this:
: 
: myDG.SelectCommand="SELECT * FROM MCCIME_Doctor WHERE state = '" &
: get_state & "' "
: 
:    (make sure you remove that extra space inside your concatenated
: variable value too)
: 
:  From: "Casey" aspnet at thecrookstons.com
: 
: In a web matrix datagrid, I need a variable WHERE clause.
: 
: SelectCommand="SELECT * FROM MCCIME_Doctor WHERE state = 'CA' "
: 
: that works fine, but
: 
: SelectCommand="SELECT * FROM MCCIME_Doctor WHERE state = ' " & get_state &
: "
: ' "
: 
: does not work. Not sure if it's because I'm declaring the variable wrong,
: of if my syntax is wrong.
: 
:  Sub Page_Load(Src As Object, E As EventArgs)
:  dim get_state as string = request.querystring("state")
:  end sub



More information about the thelist mailing list