Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.databases.ms-sqlserver > #1230

Re: Escape Characters in Strings

From Gene Wirchenko <genew@ocis.net>
Newsgroups comp.databases.ms-sqlserver
Subject Re: Escape Characters in Strings
Date 2012-08-22 17:38 -0700
Organization A noiseless patient Spider
Message-ID <ehua385cpthehtgelajjbfrpj59o6fimmg@4ax.com> (permalink)
References (1 earlier) <XnsA0B7614C3AD91Yazorman@127.0.0.1> <2s0a38toaa3n1th1e42kmat8n0ei6v9bah@4ax.com> <XnsA0B7D82775B60Yazorman@127.0.0.1> <n5ha38dbi03o3npmc3emukmisrb2qevl53@4ax.com> <XnsA0B7EFF25680AYazorman@127.0.0.1>

Show all headers | View raw

On Wed, 22 Aug 2012 23:35:15 +0200, Erland Sommarskog
<esquel@sommarskog.se> wrote:

>Gene Wirchenko (genew@ocis.net) writes:
>>      I will be building only statements that execute stored
>> procedures.  e.g.
>>            execute ExampleProc 'abc',1,2,3
>> or
>>            execute ExampleProc theString='abc',foo=1,bar=2,baz=3
>> Does that count?
> 
>Yes, that counts, and you should not be doing it. Assuming that you are
>using C#, it should look like this:

     Rats!  I would be using VBScript.  I hope the syntax is similar.

>  cmd.CommandType = CommandType.StoredProcedure;
>  cmd.CommandText = "dbo.ExampleProc";    // Always include schema!
>  cmd.Parameters.Add("@theString", SqlDBTypes.VarChar, 20);
>  cmd.Parameters["@theString"].Value = "abc";

     There appear to be pieces missing.  Presumably, the other
parameters get similar treatment in their declared order, and
something must state to go.

>This results in an RPC call which is more efficient. And there is no risk 
>for SQL Injection.

     I will do some hunting for SQL Server and RPC and see what it
gets me.

Sincerely,

Gene Wirchenko

Back to comp.databases.ms-sqlserver | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-21 15:39 -0700
  Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-22 07:33 +0000
    Re: Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-22 09:10 -0700
      Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-22 21:14 +0200
        Re: Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-22 13:53 -0700
          Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-22 23:35 +0200
            Re: Escape Characters in Strings Gene Wirchenko <genew@ocis.net> - 2012-08-22 17:38 -0700
              Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-23 10:22 +0000
          Re: Escape Characters in Strings "Bob Barrows" <reb01501@NOSPAMyahoo.com> - 2012-08-23 07:05 -0400
            Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-23 23:13 +0200
              Re: Escape Characters in Strings "Bob Barrows" <reb01501@NOSPAMyahoo.com> - 2012-08-23 18:22 -0400
                Re: Escape Characters in Strings Erland Sommarskog <esquel@sommarskog.se> - 2012-08-24 07:40 +0000
                Re: Escape Characters in Strings "Bob Barrows" <reb01501@NOSPAMyahoo.com> - 2012-08-24 06:16 -0400

csiph-web