February 17, 2007 at 3:15 pm
Hello,
In our .NET application, we allow end users to write their own query and then return data to the client.. The place where the user writes the query now is a simple text box that allows multiple lines.. Instead, I would like to have some kind of control that is SQL Server code aware, gives the ability for color coding, check the syntax of the code etc., something similar to the Query Analzyer window so that end user can validate the query before actually running it and also clearly see their query with the same Query Analyzer look and feel..
Is there any such control available in the market that I can purchase or someone has any pointers for my needs?..
Thanks for your help.
Ganesh
February 19, 2007 at 7:49 am
How many users? How educated, as in knowledge of SQL and DBs, are your users? How big is the DB? (Think about it: forget one join clause, and the query runs for hours.) What if they decide to update or delete?
On it's face, giving users such access is absolutely The. Worst. Thing. you can do.
February 19, 2007 at 1:21 pm
you can send the query to SQL with the following options:
SET NOEXEC ON
SET PARSEONLY ON
SELECT * FROM SOMETABLE
SET NOEXEC OFF
SET PARSEONLY OFF
you could then simply return the errors returned from SQL, ie table SOMETABLe does not exist.
I've done this myself, and simply added extra validation to not permit INSERT / UPDATE / CREATE / DBCC and some other commands, as I want them to do SELECT statements only.
Lowell
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply