Home Forums SQL Server 2008 SQL Server 2008 - General how to split the comma delimited string into rows without using LOOP, CTE, XML. RE: how to split the comma delimited string into rows without using LOOP, CTE, XML.

  • October 11, 2013 at 7:42 am

    #1657915

    For more information on SQL Injection, my recommendation would be to Google it. It's a large subject and contains way too much information for me to post on a thread.

    The bottom line is that if you concatenate any character based parameters using Dynamic SQL, your code is subject to SQL Injection. That also includes any front-end code. In order to prevent such injection, the code must be properly parameterized. In SQL Server, such parameterization can be done using sp_ExecuteSQL.

    Probably the best example on the internet of how to use that for "catch-all" queries may be found at the following link.

    http://sqlinthewild.co.za/index.php/2009/03/19/catch-all-queries/

    Probably the world's most famous and extremely pertinent cartoon on the subject of SQL Injectio can be found at the following URL...

    http://xkcd.com/327/

    SQL Injection is still the world's biggest problem for hack-attacks. Don't take it lightly.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)