W
Wayne Deleer
Here's a perplexing thought... right now I'm writing an application
that uses a web form, with many different input types. Some of these
types are lists that allow for multiple selections. After selecting
all the necessary values I want to run a SELECT statement on an SQL
database, but using 'parameters' to avoid injection attacks, etc...
So ideally I could run a command something like this:
SELECT * FROM mydatabase WHERE (field1 LIKE @field1, field2 LIKE
@field2, field3 =@someListValue1 OR field3 = @someListValue2, field4
LIKE @field4)
The reason I want to use parameters is that some of the values (eg.
field1) could be a text box field and could (possibly) result in
command such as:
SELECT * FROM mydatabase WHERE (field1 LIKE 'sometext';DROP TABLE....'
etc...
The values from text boxes aren't that much of a concern, because it's
a single entry and they can be easily parameterized. The problem is
with list boxes. Sure, I can iterate through the list, find out how
many items are selected in the list, create snippets of search strings
based on the number of items selected in that list and then put it all
together in the end to make a final query to present to the SQL server
using C#... but there has to be a nicer way. Especially with 40
different lists, drop-lists, radio buttons, and text boxes... this is
getting to be ugly looking code.
I'm just wondering if anyone else has experienced this and found a
better way.
hmmm... still pondering this as I write.
Thx.
that uses a web form, with many different input types. Some of these
types are lists that allow for multiple selections. After selecting
all the necessary values I want to run a SELECT statement on an SQL
database, but using 'parameters' to avoid injection attacks, etc...
So ideally I could run a command something like this:
SELECT * FROM mydatabase WHERE (field1 LIKE @field1, field2 LIKE
@field2, field3 =@someListValue1 OR field3 = @someListValue2, field4
LIKE @field4)
The reason I want to use parameters is that some of the values (eg.
field1) could be a text box field and could (possibly) result in
command such as:
SELECT * FROM mydatabase WHERE (field1 LIKE 'sometext';DROP TABLE....'
etc...
The values from text boxes aren't that much of a concern, because it's
a single entry and they can be easily parameterized. The problem is
with list boxes. Sure, I can iterate through the list, find out how
many items are selected in the list, create snippets of search strings
based on the number of items selected in that list and then put it all
together in the end to make a final query to present to the SQL server
using C#... but there has to be a nicer way. Especially with 40
different lists, drop-lists, radio buttons, and text boxes... this is
getting to be ugly looking code.
I'm just wondering if anyone else has experienced this and found a
better way.
hmmm... still pondering this as I write.
Thx.