From: Plamen Ratchev on
I am very curious if one does not accept that parameterized queries are the safe approach to SQL Injection, what is
considered a "safe" method to implement search based on Web (or any client) entry form.

--
Plamen Ratchev
http://www.SQLStudio.com
From: Jay on
You must be building a poor man's search engine.

I would setup full-text search and write a procedure to search for the terms
passed in (as parameters) from the web page.


"Plamen Ratchev" <Plamen(a)SQLStudio.com> wrote in message
news:ooSdnZNRTp3kDarWnZ2dnUVZ_sJi4p2d(a)speakeasy.net...
>I am very curious if one does not accept that parameterized queries are the
>safe approach to SQL Injection, what is considered a "safe" method to
>implement search based on Web (or any client) entry form.
>
> --
> Plamen Ratchev
> http://www.SQLStudio.com


From: Erland Sommarskog on
Jay (spam(a)nospam.org) writes:
> You must be building a poor man's search engine.
>
> I would setup full-text search and write a procedure to search for the
> terms passed in (as parameters) from the web page.

You don't set up full-text to support a URL like:

www.host.com/product.aspx?productid=12345


--
Erland Sommarskog, SQL Server MVP, esquel(a)sommarskog.se

Links for SQL Server Books Online:
SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx
SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx
SQL 2000: http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

From: Plamen Ratchev on
Then I guess you did not read any of my posts, as since the beginning I have been proposing the following solution
(which is exactly full-text search with parameters):

DECLARE @keywords NVARCHAR(30);

SET @keywords = N'brown fox';

SET @keywords = REPLACE(@keywords, ' ', ' AND ');

SELECT *
FROM FullTextTest
WHERE CONTAINS(*, @keywords);

--
Plamen Ratchev
http://www.SQLStudio.com
From: Jay on
> You don't set up full-text to support a URL like:
>
> www.host.com/product.aspx?productid=12345
>

I would hope that would be a clustered index lookup, or a partitioned table.


First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5
Prev: Joines Ralated
Next: SQL 2005 Query Response Time