Mike yearwood <> wrote: > The ultimate answer IMO is to create your SQL as a parameterized > query. No stupid string scrubbing required, no possibility of SQL > injection attacks and the performance is the same as with a stored > procedure since SQL version 7 and up cache all execution plans for > all queries including stored procedures. > > The "raw user input" no matter what it contains is sent to SQL Server > as a parameter, therefore it is never executed, while the rest of the > SQL command is. > > lcName = "raw user input" > sqlexec(gnconnection,"select * from table where name = ?m.lcName")
How do you apply a "Like" comparrison? Stephen Russell DBA / Operations Developer Memphis TN 38115 901.246-0159 http://spaces.msn.com/members/srussell/ -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.6/427 - Release Date: 8/24/2006 _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
