January 24, 2018 at 9:01 am
Hi,
I have a form where users can click on the colors check-boxes. These values go to query string like.
http://www.example.com/page?Color=Red&Color=Black&Color=Blue
ColorC=Request.QueryString("Color")
This gives values like ColorC=Red, Black, Blue
(1-20 color selections)
My question is that how to search the database by SQL statement. The following will not work in this case. I am using VBscript and MS SQL database.
SQL = "Select * from Products where DESCRIPTION LIKE '%" & ColorC & "%'"
The number of colors are not fixed, there could be 1, 2, 3, 5, 6 more colors as selected by a user. And it has LIKE as it finds colors in product description. How does IN work in this case.
January 24, 2018 at 9:13 am
Please don't ever do that. There's a critical security flaw in your code (SQL Injection). NEVER concatenate parameters into a string and execute the string.
Have a look at table-type parameters to pass multiple values to a stored procdure.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 24, 2018 at 9:23 am
Alternatively, instead of using a Table-type parameter, you could consider passing the value as a delimited string and then using a string splitter.
Either way, Gail is completely right; parametrise your SQL, or use a Stored Procedure. SQL Injection is never a good thing.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
January 24, 2018 at 10:46 pm
Hi,
Thank you for the reply. I am using a function to avoid injection like ColorC=Sqlinj(Request.QueryString("Color")) that removes the harmful statements.
I am not very good at coding. Can you please write the statements in detail to solve the problem mentioned above.
Thanks
January 24, 2018 at 11:02 pm
babar_ch - Wednesday, January 24, 2018 10:46 PMHi,
Thank you for the reply. I am using a function to avoid injection like ColorC=Sqlinj(Request.QueryString("Color")) that removes the harmful statements.
I am not very good at coding. Can you please write the statements in detail to solve the problem mentioned above.Thanks
I am using SQL Server 2005.
January 25, 2018 at 1:32 am
babar_ch - Wednesday, January 24, 2018 10:46 PMHi,
Thank you for the reply. I am using a function to avoid injection like ColorC=Sqlinj(Request.QueryString("Color")) that removes the harmful statements.
Blacklisting doesn't work except against the simplest forms of SQL injection. It's a false sense of security that anyone competent (or any well-written injection tool) will get around.
Parameterise your queries and DO NOT concatenate input into strings and execute them
I don't think that 2005 had table-type parameters (any why are you using something so old and out of support), so you'll need to pass a comma-delimited list and use a string splitting function.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply