Re: Passing in a Parameter

From: Hugo Kornelis <hugo@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Apr 2005 01:06:06 +0200

On Thu, 28 Apr 2005 15:30:02 -0700, Kunkel wrote:

>thanks for that link! it was very helpful. but after i implemented the
>articles ideas, i came across this solution:
>
>DECLARE @Var AS VARCHAR(100)
>SET @Var = '''Dan'', ''Mike'', ''Lisa'''
>DECLARE @SQL AS varchar(1000)
>
>SET @SQL = 'SELECT *
>FROM ORDERS
>WHERE
>NAME IN (' + @Var + ')'
>
>Exec(@SQL)

Hi Kunkel,

This is dynamic SQL, and I believe that this techinique is discussed at
Erland's site as well. Please don't do this if you can avoid it. It is a
severe breach of security - you give malicious users the ability to
inject SQL.

Erland has a great article with an in-depth explanation of pros and cons
of dynamic SQL as well: http://www.sommarskog.se/dynamic_sql.html

Best, Hugo
--

(Remove _NO_ and _SPAM_ to get my e-mail address)
.

References:
- Passing in a Parameter
  - From: Kunkel
- Re: Passing in a Parameter
  - From: Hugo Kornelis
- Re: Passing in a Parameter
  - From: Kunkel

Prev by Date: Re: Passing in a Parameter
Next by Date: TOP and OFFSET
Previous by thread: Re: Passing in a Parameter
Next by thread: TOP and OFFSET
Index(es):
- Date
- Thread

Relevant Pages

Re: Using variables in Dynamic SQL
... > execute dynamic SQL I am getting the error message "Syntax error ... > DECLARE @StartDate datetime ... > So my 2nd query is can anybody advise me of the correct format here. ...
(microsoft.public.sqlserver.programming)
Re: Insert, Udate, Select data with embedded C++
... Definitely read Joao's excellent articles on codeproject and PocketPCdn. ... wrapper to SQL CE for Sql Mobile and am almost done. ... > Does anyone know where I can find some useful information (preferably ...
(microsoft.public.sqlserver.ce)
Re: using sp_executesql for dynamic search in stored procedure.
... I assume you had some quotes around the dynamic SQL and parameter list? ... DECLARE @int_start AS INTEGER ... SET @int_start = 1--this variable will be read into the stored procedure. ...
(microsoft.public.sqlserver.server)
Re: I want to create a database and store and retrieve information
... Yes Foxpro does have SQL but I never did use it myself. ... > Find great Windows Forms articles in Windows Forms Tips and Tricks ... >> I think I will break ties with FoxPro and COM and go for either SQLServer ...
(microsoft.public.dotnet.languages.csharp)
Re: Critique My SQL
... " FROM Articles, Authors, Categories, Groups" + ... Does my SQL statement seem reasonably efficient and correctly formed? ... it in your grid. ...
(microsoft.public.dotnet.framework.adonet)