|
Then you should parse all the query and replace ' with \' but you will have to do that for every escape character. But it leaves your database open to sql injections. Have a look at these links:
http://www.codeproject.com/aspnet/SqlInjection.asp
http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp
|
|
|
|
|
V. wrote: Unfortunately we don't use sqlparameters and I don't think it's an option to re-write the DAL component...
Then you should give the person that wrote the DAL a good hard slap for being an idiot.
Seriously - You need to use SqlParameters to reduce the risk of a SQL Injection Attack. No ifs, no buts, it just needs to be done.
Upcoming events:
* Glasgow: Mock Objects, SQL Server CLR Integration, Reporting Services, db4o, Dependency Injection with Spring ...
* Reading: Developer Day 5
Ready to Give up - Your help will be much appreciated.
My website
|
|
|
|
|
Colin Angus Mackay wrote: Then you should give the person that wrote the DAL a good hard slap for being an idiot
It was me... the dll is actually a very easy and stable dal component, but written before I even knew the very existance of what SQL injection was. I'll probably keep myself busy with making this better, but now is just not the time...
|
|
|
|
|
Do you have to the time to waste with problems like the one you're asking about now? Either you make your future life easier by rewriting for parameters, or you waste your time by dealing with little problems that crop up like this because you didn't use parameters in the first place.
|
|
|
|
|
Maybe you didn't mean too, but I find this reply not really constructive.
If you can't give a constructive answer, please don't waste your time writing it.
Your parameters option might be the best and I surely will keep it in mind for the future, but for now the DAL component I wrote has saved me hours and hours of time, so it can't be thát bad. (Yes I know, it probably is in your eyes.)
thank you.
|
|
|
|
|
V. wrote: I wrote has saved me hours and hours of time,
Did it now?
So now you're stuck with this problem, future problems, and if just a single attack get's through and destroys your database, how many hours of time are you going to "Save" rebuilding it?
Let me put it to you this way. Your code is going to face an attack. It's inevitable in a production environment. Where is the most likely source of an attack going to come from? The first one on your list of things to plan for are disgruntled employees, not some script-kiddies or hackers.
|
|
|
|
|
|
Dave is right. Statistically most attacks are insider jobs.
Upcoming events:
* Glasgow: Mock Objects, SQL Server CLR Integration, Reporting Services, db4o, Dependency Injection with Spring ...
* Reading: Developer Day 5
Ready to Give up - Your help will be much appreciated.
My website
|
|
|
|
|
lol, I'm not saying he was wrong, I just didn't like the tone of his reply.
You set me straight as well, but at least in a constructive way.
|
|
|
|
|
ah... okay.
Upcoming events:
* Glasgow: Mock Objects, SQL Server CLR Integration, Reporting Services, db4o, Dependency Injection with Spring ...
* Reading: Developer Day 5
Ready to Give up - Your help will be much appreciated.
My website
|
|
|
|
|
do it like this
SELECT * from A_Communes where label_d like 'BRAINE-L''ALLEUD%';
just place another [ ' ] the apostrophe
|
|
|
|
|
life can be so simple sometimes...
Thank you very much!
|
|
|
|
|
The advice you were given still leaves you vulnerable to SQL Injection Attacks. Please use parameterised queries at a minimum to reduce the risk.
Upcoming events:
* Glasgow: Mock Objects, SQL Server CLR Integration, Reporting Services, db4o, Dependency Injection with Spring ...
* Reading: Developer Day 5
Ready to Give up - Your help will be much appreciated.
My website
|
|
|
|
|
gamzun wrote: just place another [ ' ] the apostrophe
That is poor advice. While technically it will work, it still has the risk of SQL Injection Attacks occurring. You should be using parameterised queries, that way you don't have to escape anything.
Upcoming events:
* Glasgow: Mock Objects, SQL Server CLR Integration, Reporting Services, db4o, Dependency Injection with Spring ...
* Reading: Developer Day 5
Ready to Give up - Your help will be much appreciated.
My website
|
|
|
|
|
yes I know its a bad choice to accomplish that but as he wants it that way can't help him out in any other way
|
|
|
|
|
I have data in MS SQL Server 2005 express edition, my client want that database to be in Oracle 10g. Can anyone please suggest me any solution to do that with ease.
Thanks
|
|
|
|
|
hi
i havnt used 2005 i am presntly using 2000
u can do this using sql enterprise manager with option export data--> select the Server(10G) and follow the wizard
NOTE: 10G should be installed
|
|
|
|
|
Hi folks,
I got a question concerning stored procedures and I didn't find anything helpful on the comment search or via google:
I need to query a single column in a stored procedure but I want to identify this column with a VarChar-parameter, so that I can use one stored procedure for all columns in a table. Maybe there's also a way to design such a stored procedure even with whole tables. What I'm looking for is a stored procedure like this:
<br />
CREATE PROCEDURE [dbo].[GetValueFromMyTable]<br />
( @Column varchar )<br />
AS<br />
BEGIN<br />
SELECT @Column FROM MyTable <br />
END<br />
The code seems to be correct, but the statement doesn't work the way I want it to work. Does anyone have an idea about my problem?
Thanks in advance, Tobias
|
|
|
|
|
As @Column is an input parameter and you have taken varchar as data type you have to specifies the length of input parameter.
for example:-
@Column varchar(20)
I hope this will help you.
Puneet Srivastava
|
|
|
|
|
Thank you for your answer, but it still doesn't work. I only get the column name as a result-set. I think the statement awaits a column-object to identify the right column, doesn't it?! Someone got an idea?
|
|
|
|
|
try building dynamic query with the variable name
If U Get Errors U Will Learn
If U Don't Get Errors U Have Learnt
|
|
|
|
|
I know the possiblity of dynamic queries, but the problem is, that I've got to use one stored procedure per table. So I simply have to get the mapping between the name and the column. Is there a fast way to achieve this?
|
|
|
|
|
Ok, finally I made it work - here's the simplified procedure's code that's working fine:
<br />
ALTER PROCEDURE [dbo].[GetData](<br />
@Column varchar(100),<br />
@Begin datetime,<br />
@End datetime<br />
)<br />
AS<br />
BEGIN<br />
DECLARE @query nvarchar(1000)<br />
SET @query = N'SELECT ' + quotename(@Column) + ' FROM MyTable'<br />
<br />
EXEC sp_executesql @query <br />
END<br />
Thanks for your hint vimal_yet!
|
|
|
|
|
CREATE PROCEDURE [dbo].[GetValueFromMyTable]
( @ColID INT)
AS
BEGIN
SELECT ColName = CASE @ColID
WHEN @ColID=1 THEN Col1
WHEN @ColID=2 THEN Col2
ELSE col3
END,
FROM tableName
Regards,
Arun Kumar.A
|
|
|
|
|
hi,
i need a solution for a scenario.When server goes down i need to continue my work using temporary values available.how dis can be acheived does dataset hold values even wen the server goes down? if so how it works?
thnx in advance,
zari
|
|
|
|