doing a SELECT with parameters and drop-down lists

W

Wayne Deleer

Here's a perplexing thought... right now I'm writing an application
that uses a web form, with many different input types. Some of these
types are lists that allow for multiple selections. After selecting
all the necessary values I want to run a SELECT statement on an SQL
database, but using 'parameters' to avoid injection attacks, etc...

So ideally I could run a command something like this:

SELECT * FROM mydatabase WHERE (field1 LIKE @field1, field2 LIKE
@field2, field3 =@someListValue1 OR field3 = @someListValue2, field4
LIKE @field4)

The reason I want to use parameters is that some of the values (eg.
field1) could be a text box field and could (possibly) result in
command such as:

SELECT * FROM mydatabase WHERE (field1 LIKE 'sometext';DROP TABLE....'
etc...

The values from text boxes aren't that much of a concern, because it's
a single entry and they can be easily parameterized. The problem is
with list boxes. Sure, I can iterate through the list, find out how
many items are selected in the list, create snippets of search strings
based on the number of items selected in that list and then put it all
together in the end to make a final query to present to the SQL server
using C#... but there has to be a nicer way. Especially with 40
different lists, drop-lists, radio buttons, and text boxes... this is
getting to be ugly looking code.

I'm just wondering if anyone else has experienced this and found a
better way.

hmmm... still pondering this as I write.

Thx.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,982
Messages
2,570,185
Members
46,736
Latest member
AdolphBig6

Latest Threads

Top