[thelist] To Store or Not to Store - Building dynamic queries
Ken Schaefer
Ken at adOpenStatic.com
Mon Aug 14 20:19:42 CDT 2006
Just be aware that this type of sproc ***reeks*** of SQL Injection
vulnerabilities. You need to be ***very*** careful in your app tier that you
aren't compromising your application.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Sydney: learn all about IIS 7.0 - See you there!
: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Brian Cummiskey
: Sent: Tuesday, 15 August 2006 7:10 AM
: To: thelist at lists.evolt.org
: Subject: Re: [thelist] To Store or Not to Store - Building dynamic queries
:
: Casey Crookston wrote:
: > Brian - thanks for your help. I wasn't too clear on what I was really
: > asking: Will this kind of syntax work in a stored proc?
: >
: > if @param1 > ''
: >
: > set @queryString = 'SELECT * FROM table WHERE ' + @whereString
: >
: > Thanks!
: >
: > Casey
: >
: >
: No, you can't do math on a string like that. (greater than space?)
:
:
: If you have something like:
:
: search: <select name="srchtype"><option
: value="books">Books</option><option value="cd">CDs</option></select>
: for: <select name="srcw"><option value="title">Title</option><option
: value="author">Author</option></select>
: <input type="text" name="textfield" />
:
: You could do something like this:
:
: pass srchtype and srcw in as a parameter to the SP (this will depend on
: your scripting language)
:
: then in the SP,
:
: set @queryString = 'SELECT * FROM '
:
:
: if @srchtype = 'books'
: begin
: set @queryString = @queryString + 'BOOKSTABLE'
: if @srcq = 'title'
: begin
: set @queryString = @queryString + ' WHERE title = '
: @textfield
: else
: set @queryString = @queryString + ' WHERE author =
: ' @textfield
: end
: end
: end
: end
:
:
: That's just quick and probably missing some quotes in the syntax, but i
: think you get the idea.
More information about the thelist
mailing list