Re: SQL Injection Code Help
- From: Dan Sullivan <dan@xxxxxxxxxxxxxxx>
- Date: Tue, 20 Jun 2006 18:30:10 +0000 (UTC)
A parameter used in a TOP statement must be in parantheses.
DECLARE @n INT
SET @n = 2
SELECT TOP(@n) * From #tbl
Dan
jbiros wrote:
Agreed, but it seems a lot more difficult to write reusable code toQuite the opposite, it gets easier to write resuable code, however the
execute the sql when you parameterize your queries. Can you still
use, for example, a single function, ExecuteSQL(argSQL) to execute
ANY statement if you parameterize your queries? You don't want to
have to write a ton of unique code for every single SQL statement,
especially if you have a large system with thousands of SQL
statements.
Jeremy
exact implementation differs depending on what you use.
Unfortunately there are two situations where you cannot use
parameters, the first one is if you want to do a TOP statement, for
some incomprehensable reason you cannot use a parameter in a TOP
statement.
The second is a IN LIST statement since there is no array or vector
type in SQL server, however this one can be solved by creating a
function that splits a a value and creates a table or you could use
the new XML datatype instead.
PL.
.
- Follow-Ups:
- Re: SQL Injection Code Help
- From: pblse2
- Re: SQL Injection Code Help
- References:
- Re: SQL Injection Code Help
- From: pblse2
- Re: SQL Injection Code Help
- Prev by Date: Re: SQL Injection Code Help
- Next by Date: Re: SQL Injection Code Help
- Previous by thread: Re: SQL Injection Code Help
- Next by thread: Re: SQL Injection Code Help
- Index(es):
Relevant Pages
|
|
