Bob's mini mart?
If I use command objects will this no longer be an issue?
I guess that would mean no simple adhoc SQL statements right?
like SELECT name from WHATEVER
would need a command object with
"SELECT @dotnet.itags.org.NAME, etc.
and then params
is this the way to solve the problem?
Thanks,
ShaneUse command objects. The single quote "problem" will go away.
Don't use ad-hoc SQL statements that are concatenated from user input. You
are leaving your application vulnerable to a SQL injection attack.
Colin
"SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
> How can I handle the user entering single quotes like in
> Bob's mini mart?
> If I use command objects will this no longer be an issue?
> I guess that would mean no simple adhoc SQL statements right?
> like SELECT name from WHATEVER
> would need a command object with
> "SELECT @.NAME, etc.
> and then params
> is this the way to solve the problem?
> Thanks,
> Shane
Yes, use parameter objects.
--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
> How can I handle the user entering single quotes like in
> Bob's mini mart?
> If I use command objects will this no longer be an issue?
> I guess that would mean no simple adhoc SQL statements right?
> like SELECT name from WHATEVER
> would need a command object with
> "SELECT @.NAME, etc.
> and then params
> is this the way to solve the problem?
> Thanks,
> Shane
OK. That is what I had thought.
So to do that in command ojbects I do something like.
dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
State=@.State",conn)
is that right? And then just add @.State as a param?
I don't need to do the same for the output params right? LIke Name, Address
and City--or do I have to do them the same?
Shane
"Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
news:Og3zd2sSEHA.1168@.TK2MSFTNGP11.phx.gbl...
> Yes, use parameter objects.
> --
> I hope this helps,
> Steve C. Orr, MCSD, MVP
> http://Steve.Orr.net
>
> "SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
> news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
> > How can I handle the user entering single quotes like in
> > Bob's mini mart?
> > If I use command objects will this no longer be an issue?
> > I guess that would mean no simple adhoc SQL statements right?
> > like SELECT name from WHATEVER
> > would need a command object with
> > "SELECT @.NAME, etc.
> > and then params
> > is this the way to solve the problem?
> > Thanks,
> > Shane
Basically correct.
Output parameters would need to be declared, but in your example, you
seem to be returning a recordset, not output parameters. This would
return a .NET dataset with multiple records which you could either
bind to an ASP control or use in whatever method you deem prudent :)
On Sun, 6 Jun 2004 09:49:15 -0500, "SStory"
<TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote:
>OK. That is what I had thought.
>So to do that in command ojbects I do something like.
>dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
>State=@.State",conn)
>is that right? And then just add @.State as a param?
>I don't need to do the same for the output params right? LIke Name, Address
>and City--or do I have to do them the same?
>Shane
>
>"Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
>news:Og3zd2sSEHA.1168@.TK2MSFTNGP11.phx.gbl...
>> Yes, use parameter objects.
>>
>> --
>> I hope this helps,
>> Steve C. Orr, MCSD, MVP
>> http://Steve.Orr.net
>>
>>
>> "SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
>> news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
>> > How can I handle the user entering single quotes like in
>>> > Bob's mini mart?
>>> > If I use command objects will this no longer be an issue?
>>> > I guess that would mean no simple adhoc SQL statements right?
>>> > like SELECT name from WHATEVER
>>> > would need a command object with
>>> > "SELECT @.NAME, etc.
>> > and then params
>>> > is this the way to solve the problem?
>>> > Thanks,
>>> > Shane
>>>>>
>
Thanks Dan,
Will try to go through and fix offending code.
Shane
"Dan Brussee" <dbrussee@.nc.rr.com> wrote in message
news:7ve6c0ls13v3k00iu79pbdf20ggd73m8tp@.4ax.com...
> Basically correct.
> Output parameters would need to be declared, but in your example, you
> seem to be returning a recordset, not output parameters. This would
> return a .NET dataset with multiple records which you could either
> bind to an ASP control or use in whatever method you deem prudent :)
>
> On Sun, 6 Jun 2004 09:49:15 -0500, "SStory"
> <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote:
> >OK. That is what I had thought.
> >So to do that in command ojbects I do something like.
> >dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
> >State=@.State",conn)
> >is that right? And then just add @.State as a param?
> >I don't need to do the same for the output params right? LIke Name,
Address
> >and City--or do I have to do them the same?
> >Shane
> >"Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
> >news:Og3zd2sSEHA.1168@.TK2MSFTNGP11.phx.gbl...
> >> Yes, use parameter objects.
> >>
> >> --
> >> I hope this helps,
> >> Steve C. Orr, MCSD, MVP
> >> http://Steve.Orr.net
> >>
> >>
> >> "SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
> >> news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
> >> > How can I handle the user entering single quotes like in
> >> >> > Bob's mini mart?
> >> >> > If I use command objects will this no longer be an issue?
> >> >> > I guess that would mean no simple adhoc SQL statements right?
> >> >> > like SELECT name from WHATEVER
> >> >> > would need a command object with
> >> >> > "SELECT @.NAME, etc.
> >> > and then params
> >> >> > is this the way to solve the problem?
> >> >> > Thanks,
> >> >> > Shane
> >> >> >> >>
> >
0 comments:
Post a Comment