SQL statement - 'chop' phrase
in [Server Configuration]
|
Prev: Joines Ralated
Next: SQL 2005 Query Response Time
From: Jay on 27 Dec 2009 19:36 OK, I'm sorry. I think the subject of SQL Injection just kinda fritzes me out. "Plamen Ratchev" <Plamen(a)SQLStudio.com> wrote in message news:ooSdnZJRTp0eTKrWnZ2dnUVZ_sJi4p2d(a)speakeasy.net... > Then I guess you did not read any of my posts, as since the beginning I > have been proposing the following solution (which is exactly full-text > search with parameters): > > DECLARE @keywords NVARCHAR(30); > > SET @keywords = N'brown fox'; > > SET @keywords = REPLACE(@keywords, ' ', ' AND '); > > SELECT * > FROM FullTextTest > WHERE CONTAINS(*, @keywords); > > -- > Plamen Ratchev > http://www.SQLStudio.com
From: Geoff N. Hiten on 28 Dec 2009 10:11
While your example used parameterized queries, you never explained nor emplasized what that was or why it was important, hence my continued reference to SQL Injection attacks. -- Geoff N. Hiten Principal SQL Infrastructure Consultant Microsoft SQL Server MVP "Plamen Ratchev" <Plamen(a)SQLStudio.com> wrote in message news:N6CdnWc_r_-Qy6_WnZ2dnUVZ_gNi4p2d(a)speakeasy.net... > Geoff, > > Can you demonstrate SQL Injection using parameterized query with full-text > search? Take as base the example we have been discussing here: > > DECLARE @keywords NVARCHAR(30); > > SET @keywords = N'brown fox'; > > SET @keywords = REPLACE(@keywords, ' ', ' AND '); > > SELECT * > FROM FullTextTest > WHERE CONTAINS(*, @keywords); > > I really do not think it is possible, but maybe I am missing something. > > -- > Plamen Ratchev > http://www.SQLStudio.com |