Let's say you have a text field on some application that's used to be part of a SQL select statement like "SELECT " + txtField.Text() + " FROM [Some_Table];"
What if the user entered "(DELETE *)" or some other insert, update, etc. in the text field? Is there any way it could embed the statement and really mess things up in your database?Yes. Google for "SQL injection". And vow never again to build your SQL like that; use bind variables to pass user input to the SQL engine. This also makes the database perform better AND makes your SQL easier to write:
"SELECT ? FROM [Some_Table]"
Showing posts with label delete. Show all posts
Showing posts with label delete. Show all posts
Monday, March 26, 2012
Wednesday, March 21, 2012
run the output
I want to delete the index:
How to run the output of:
select 'alter table ' + b.name + ' drop constraint ' + a.name from
sysobjects a
inner join syscolumns on syscolumns.id = a.parent_obj
inner join sysobjects b on syscolumns.id = b.id
where syscolumns.name = 'rowguid'
and objectproperty(object_id(b.name),'IsMSShipped') = 0
and a.xtype = 'D'
ThanksM,
Copy the output from the result pane into the query pane and Ctrl+E (or F5
or Alt+X).
HTH
Jerry
"M" <mxchen@.hotvoice.com> wrote in message
news:encucR20FHA.460@.TK2MSFTNGP15.phx.gbl...
> I want to delete the index:
> How to run the output of:
>
> select 'alter table ' + b.name + ' drop constraint ' + a.name from
> sysobjects a
> inner join syscolumns on syscolumns.id = a.parent_obj
> inner join sysobjects b on syscolumns.id = b.id
> where syscolumns.name = 'rowguid'
> and objectproperty(object_id(b.name),'IsMSShipped') = 0
> and a.xtype = 'D'
> Thanks
>
>|||Thanks
"Jerry Spivey" <jspivey@.vestas-awt.com> wrote in message
news:u6FbrU20FHA.1264@.tk2msftngp13.phx.gbl...
> M,
> Copy the output from the result pane into the query pane and Ctrl+E (or F5
> or Alt+X).
> HTH
> Jerry
> "M" <mxchen@.hotvoice.com> wrote in message
> news:encucR20FHA.460@.TK2MSFTNGP15.phx.gbl...
>
>
How to run the output of:
select 'alter table ' + b.name + ' drop constraint ' + a.name from
sysobjects a
inner join syscolumns on syscolumns.id = a.parent_obj
inner join sysobjects b on syscolumns.id = b.id
where syscolumns.name = 'rowguid'
and objectproperty(object_id(b.name),'IsMSShipped') = 0
and a.xtype = 'D'
ThanksM,
Copy the output from the result pane into the query pane and Ctrl+E (or F5
or Alt+X).
HTH
Jerry
"M" <mxchen@.hotvoice.com> wrote in message
news:encucR20FHA.460@.TK2MSFTNGP15.phx.gbl...
> I want to delete the index:
> How to run the output of:
>
> select 'alter table ' + b.name + ' drop constraint ' + a.name from
> sysobjects a
> inner join syscolumns on syscolumns.id = a.parent_obj
> inner join sysobjects b on syscolumns.id = b.id
> where syscolumns.name = 'rowguid'
> and objectproperty(object_id(b.name),'IsMSShipped') = 0
> and a.xtype = 'D'
> Thanks
>
>|||Thanks
"Jerry Spivey" <jspivey@.vestas-awt.com> wrote in message
news:u6FbrU20FHA.1264@.tk2msftngp13.phx.gbl...
> M,
> Copy the output from the result pane into the query pane and Ctrl+E (or F5
> or Alt+X).
> HTH
> Jerry
> "M" <mxchen@.hotvoice.com> wrote in message
> news:encucR20FHA.460@.TK2MSFTNGP15.phx.gbl...
>
>
Subscribe to:
Posts (Atom)