Home Forums SQL Server 2008 T-SQL (SS2K8) Multiple parameters from Querystring to serach the Database RE: Multiple parameters from Querystring to serach the Database

  • January 25, 2018 at 1:32 am

    #1977262

    babar_ch - Wednesday, January 24, 2018 10:46 PM

    Hi,
    Thank  you for the reply. I am using a function to avoid injection like ColorC=Sqlinj(Request.QueryString("Color")) that removes the harmful statements.

    Blacklisting doesn't work except against the simplest forms of SQL injection. It's a false sense of security that anyone competent (or any well-written injection tool) will get around.
    Parameterise your queries and DO NOT concatenate input into strings and execute them

    I don't think that 2005 had table-type parameters (any why are you using something so old and out of support), so you'll need to pass a comma-delimited list and use a string splitting function.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass