Re: VS 2005 MS SQL server express query problem

---

• From: "Yogi" <Michal.Gorski.84@xxxxxxxxx>
• Date: 2 Apr 2007 21:12:06 -0700

---

On Mar 28, 10:31 pm, "Yogi" <Michal.Gorski...@xxxxxxxxx> wrote:

On Mar 28, 8:49 pm, "Cowboy \(Gregory A. Beamer\)"



<NoSpamMgbwo...@xxxxxxxxxxxxxxxxxx> wrote:

Pull the query out of the command object after it has concatenated all of
the bits together. Then run that code in Express Studio and see what you
get. Tune the query until it works and take that back to your application.
That is step 1.

Next, get rid of the concatenation altogether and truly parameterized, as I
can do the following with yours

@partOfName = "') ;DROP TABLE person --"

This will issue the following command:

SELECT name
FROM person
WHERE (name LIKE N'%') ; DROP Table Person -- %'

Cute, huh?

If you have complex logic, put it in a stored procedure to avoid these types
of injection attacks.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBAhttp://gregorybeamer.spaces.live.com

*********************************************
Think outside the box!
*********************************************"Yogi" <Michal.Gorski...@xxxxxxxxx> wrote in message

news:1175031786.246868.61440@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

- Show quoted text -

As I wrote before my query works in Express Studio!!! and inVS2005
in Query builder in Execute query but doesn't work in my application
and inVS2005 in Preview data...

Try it cowboy, please, thanks for answer...

But with getting rid of the concatenation altogether and truly
parameterized.... Sometimes it is nessesary to have truly
parameterized, so... do you see any solution in this case? Do you know
something like "magic quotes" or something like that in C# or inMSSQLserver? I think it is possible, I'm truly convinced that it's
possible!!

I found this to prevent the injections I hope this will be helpful for
beginer and other
To be secure with MS SQL read it:
http://msdn2.microsoft.com/en-us/library/aa174437(SQL.80).aspx

.

---

• Prev by Date: Re: Post Revised: A Desperate Plea for Help
• Next by Date: RE: Deployment issue - Error 26
• Previous by thread: Re: Post Revised: A Desperate Plea for Help
• Next by thread: Rowchanging exception don't propagate (ado.net 2)
• Index(es):
  • Date
  • Thread

---

Relevant Pages Different results in Query (SQL Server 2005) with PHP and Management Studio ... I have a query here that gives the right results in SQL Management ... Studio but wrong results in PHP (using mssql libraries under FreeBSD ... (comp.lang.php) Re: Too many queries ... One of my tables pertains to scheduling. ... > studio for each day. ... > whenever setting up a query to show the time, studio, ... > teacher, and student enrollment, in ... (microsoft.public.access.queries) Re: Query Tool... ... I think it was mentioned on the other post too but we use Aqua Data Studio. ... Thanks for the replies from the group RE: Server Studio. ... I was wondering if there is a query tool, ... (comp.databases.informix) Re: VS 2005 MS SQL server express query problem ... Pull the query out of the command object after it has concatenated all of the bits together. ... Then run that code in Express Studio and see what you get. ... Next, get rid of the concatenation altogether and truly parameterized, as I can do the following with yours ... (microsoft.public.dotnet.framework.adonet) Re: WMI Query against remote machine. Access issues ... ManagementObjectSearcher(scope, query); ... When I add my username to the local admin group on the remote computer ... full rights to my user to root, and I have also given my user DCOM ... (microsoft.public.win32.programmer.wmi)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)