On 6/21/06, Mike yearwood <[EMAIL PROTECTED]> wrote:
The resulting SQL is:
select * from table where field = @cField
[snip]
So my point is that ad-hoc parameterized SQL is safe as
far as I can tell.
If I'm wrong please, Please, PLEASE demonstrate by
putting SQL Injection code into a parameter and making
it execute.
You're right. As far as I can see it's perfectly safe.
However, this type of statement is quite limited. For example I'm
pretty sure it can't be used to specify a field in a ORDER BY or GROUP
BY clause (which are both quite handy).
Of course one way around this would be:
IF @cOrder = "NAME"
BEGIN
select * from table where field = @cField
ORDER BY name
END
IF @cOrder = "AGE
BEGIN
select * from table where field = @cField
ORDER BY age
END
(been a while since I did any proper SQL, forgive any syntax errors!).
Also, I wonder if EXEC() would run faster? I seem to remember that
SQL Server can cache dynamic queries (statistics etc).
--
Paul
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
