message news:Olghqi$EIHA.1164@dotnet.itags.org.TK2MSFTNGP02.phx.gbl...
Quote:
Originally Posted by
Another method is to pass XML into SQL Server, with each ID in a separate
element. You can then join to the XML in a stored procedure and return the
results. This is similar to the IN, but immune from SQL injection.
There's a really good article on that here:
http://www.codeproject.com/sqlrs/Pa...QLParameter.asp
--
Mark Rae
ASP.NET MVP
http://www.markrae.net"Mark Rae [MVP]" <mark@.markNOSPAMrae.netwrote in message
news:%23COjFuAFIHA.280@.TK2MSFTNGP03.phx.gbl...
Quote:
Originally Posted by
"Cowboy (Gregory A. Beamer)" <NoSpamMgbworld@.comcast.netNoSpamMwrote in
message news:Olghqi$EIHA.1164@.TK2MSFTNGP02.phx.gbl...
>
Quote:
Originally Posted by
>Another method is to pass XML into SQL Server, with each ID in a separate
>element. You can then join to the XML in a stored procedure and return
>the results. This is similar to the IN, but immune from SQL injection.
>
There's a really good article on that here:
http://www.codeproject.com/sqlrs/Pa...QLParameter.asp
>
>
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
I have been following this thread and one thing that has not been mentioned
is that if the method used depends on dynamically creating the SQL then you
must ensure that characters that will break the SQL are not inserted. While
this is not as bad as a SQL Injection I am sure your users don't want to see
a msg about a SQL syntax error that they unwittingly created.
LS
"Lloyd Sheen" <a@.b.cwrote in message
news:OylzSBBFIHA.4140@.TK2MSFTNGP03.phx.gbl...
Quote:
Originally Posted by
I have been following this thread and one thing that has not been
mentioned is that if the method used depends on dynamically creating the
SQL then you must ensure that characters that will break the SQL are not
inserted.
That's true, but doesn't apply to the native XML datatype method...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
On Oct 21, 2:46 pm, "Mark Rae [MVP]" <m...@.markNOSPAMrae.netwrote:
Quote:
Originally Posted by
"Lloyd Sheen" <a...@.b.cwrote in message
>
news:OylzSBBFIHA.4140@.TK2MSFTNGP03.phx.gbl...
>
Quote:
Originally Posted by
I have been following this thread and one thing that has not been
mentioned is that if the method used depends on dynamically creating the
SQL then you must ensure that characters that will break the SQL are not
inserted.
>
That's true, but doesn't apply to the native XML datatype method...
>
--
Mark Rae
ASP.NET MVPhttp://www.markrae.net
I had this question months ago, and here is an article I came across
that helped me a lot:
http://www.sommarskog.se/dynamic_sql.html
It shows how to do (among other things) exactly what you are trying to
accomplish.
0 comments:
Post a Comment