How can I handle the user entering single quotes like in
Bob's mini mart?
If I use command objects will this no longer be an issue?
I guess that would mean no simple adhoc SQL statements right?
like SELECT name from WHATEVER
would need a command object with
"SELECT @dotnet.itags.org.NAME, etc.
and then params
is this the way to solve the problem?
Thanks,
ShaneUse command objects. The single quote "problem" will go away.
Don't use ad-hoc SQL statements that are concatenated from user input. You
are leaving your application vulnerable to a SQL injection attack.
Colin
"SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
> How can I handle the user entering single quotes like in
> Bob's mini mart?
> If I use command objects will this no longer be an issue?
> I guess that would mean no simple adhoc SQL statements right?
> like SELECT name from WHATEVER
> would need a command object with
> "SELECT @.NAME, etc.
> and then params
> is this the way to solve the problem?
> Thanks,
> Shane
>
>
Yes, use parameter objects.
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
> How can I handle the user entering single quotes like in
> Bob's mini mart?
> If I use command objects will this no longer be an issue?
> I guess that would mean no simple adhoc SQL statements right?
> like SELECT name from WHATEVER
> would need a command object with
> "SELECT @.NAME, etc.
> and then params
> is this the way to solve the problem?
> Thanks,
> Shane
>
>
OK. That is what I had thought.
So to do that in command ojbects I do something like.
dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
State=@.State",conn)
is that right? And then just add @.State as a param?
I don't need to do the same for the output params right? LIke Name, Address
and City--or do I have to do them the same?
Shane
"Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
news:Og3zd2sSEHA.1168@.TK2MSFTNGP11.phx.gbl...
> Yes, use parameter objects.
> --
> I hope this helps,
> Steve C. Orr, MCSD, MVP
> http://Steve.Orr.net
>
> "SStory" <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
> news:OzRbcimSEHA.3636@.TK2MSFTNGP09.phx.gbl...
>
Basically correct.
Output parameters would need to be declared, but in your example, you
seem to be returning a recordset, not output parameters. This would
return a .NET dataset with multiple records which you could either
bind to an ASP control or use in whatever method you deem prudent :)
On Sun, 6 Jun 2004 09:49:15 -0500, "SStory"
<TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote:
>OK. That is what I had thought.
>So to do that in command ojbects I do something like.
>dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
>State=@.State",conn)
>is that right? And then just add @.State as a param?
>I don't need to do the same for the output params right? LIke Name, Addres
s
>and City--or do I have to do them the same?
>Shane
>
>"Steve C. Orr [MVP, MCSD]" <Steve@.Orr.net> wrote in message
>news:Og3zd2sSEHA.1168@.TK2MSFTNGP11.phx.gbl...
>
Thanks Dan,
Will try to go through and fix offending code.
Shane
"Dan Brussee" <dbrussee@.nc.rr.com> wrote in message
news:7ve6c0ls13v3k00iu79pbdf20ggd73m8tp@.
4ax.com...
> Basically correct.
> Output parameters would need to be declared, but in your example, you
> seem to be returning a recordset, not output parameters. This would
> return a .NET dataset with multiple records which you could either
> bind to an ASP control or use in whatever method you deem prudent :)
>
> On Sun, 6 Jun 2004 09:49:15 -0500, "SStory"
> <TheStorys@.TAKEOUTTHISSPAMBUSTERsofthome.net> wrote:
>
Address
>
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment