|
|
Home » ASP » Article
|
|
| Viewed: 189453 times |
Rating (60 votes): |
|
2.1 out of 5 |
|
|
|
Concatenate Strings in SQL
Sometime you may need to add a bit of text to a query result on the fly - as you query, you add the text.
This is called concatenating a string - literally meaning 'sticking together'.
It's really quite easy to do. Let's say we have a record in the products table
for 'washing machine' with an product_id of 35. There are 5 of them
in the quantity field and the product_price per item is $3.25. Here's the query we could use:
the recordset set now contains one field called strProductText which contains:
5 washing machines at the price of $3.25.
Outputting to an ASP page
To display the result in an asp page all you need is
As you can see it can be an effective an quick way of producing a full sentence. Notice we added the 's' after the product name
( you could ensure earlier that it was quantity was <>1 before adding this!) and that we also added the dollar sign in front of the price -
all available as part of the returned field in our recordset.
Concatenating in MS ACCESS
The process is almost identical if you're using an Access database - the only difference is you need to use the & sign instead of the + sign.
|
|
View highlighted Comments
 User Comments on 'Concatenate strings in sql'
|
|
|
Posted by :
 Archive Import (Bernie) at 16:25 on Thursday, April 10, 2003
|
Concatenating SQL strings is the worst thing you can do for application security reasons.
Do a search on the web for SQL Injection and you will see why.
Don't do it.
Use Parameratized Queries at least, and if you have SQL use Stored Procedures.
| |
|
|
Posted by :
 pathak at 00:54 on Wednesday, March 03, 2004
|
have this problem that i havent been able to solve for almost a week now.....
i am designing this SQL server backend & ASP frontend software....
how do i update several fields at a time concurrently from the ASP??? the update query needs a primary key for the row to be selected but that primary key is being generated by SQL server as a counter.....so i am just defining the variable where this primary key is being stored. <%=rs(call_id))%> call_id being 1,2,3... upon generation
how do i select attributes pertaining to a particular call_id so that i make changes in that row upon pressing the save button?
| |
|
Posted by :
fuzzyonion at 15:50 on Monday, June 27, 2005
|
The technique described doesn't present any security issues. The query wasn't formed from data obtained from users. The only string concatenation was of data retrieved from the database. SQL Injection involves unsafely using data from users in an SQL query and forming the query from that data, using concatenation most likely. But all that happens before the query is exectuted.
The problem would be if instead of saying product_id=35, he had received the 35 as an input from the user. Then if the user sent something like 35;drop table products, it could cause problems, dropping the table after doing the select. Make sense?
| |
|
To post comments you need to become a member. If you are already a member, please log in .
 
| |
