 User Comments on 'Concatenate strings in sql'
|
|
|
Posted by :
 Archive Import (Bernie) at 16:25 on Thursday, April 10, 2003
|
Concatenating SQL strings is the worst thing you can do for application security reasons.
Do a search on the web for SQL Injection and you will see why.
Don't do it.
Use Parameratized Queries at least, and if you have SQL use Stored Procedures.
| |
|
|
Posted by :
 pathak at 00:54 on Wednesday, March 03, 2004
|
have this problem that i havent been able to solve for almost a week now.....
i am designing this SQL server backend & ASP frontend software....
how do i update several fields at a time concurrently from the ASP??? the update query needs a primary key for the row to be selected but that primary key is being generated by SQL server as a counter.....so i am just defining the variable where this primary key is being stored. <%=rs(call_id))%> call_id being 1,2,3... upon generation
how do i select attributes pertaining to a particular call_id so that i make changes in that row upon pressing the save button?
| |
|
Posted by :
fuzzyonion at 15:50 on Monday, June 27, 2005
|
The technique described doesn't present any security issues. The query wasn't formed from data obtained from users. The only string concatenation was of data retrieved from the database. SQL Injection involves unsafely using data from users in an SQL query and forming the query from that data, using concatenation most likely. But all that happens before the query is exectuted.
The problem would be if instead of saying product_id=35, he had received the 35 as an input from the user. Then if the user sent something like 35;drop table products, it could cause problems, dropping the table after doing the select. Make sense?
| |
|
