Results 1 to 11 of 11
  1. #1
    Join Date
    Feb 2005
    Posts
    36

    Unanswered: Concatenation in query

    Hi all,

    I am using concatenation in Query in Sql Server like,

    Select Column1 + ' bla bla ' + Column2 as MyColumn from MyTable

    So, here any secruity issure occur or not.... because some one tell to me.. d'not use Concetenation in query bcz it is not secure, worst in performance and helpfull in SQL injection.......
    any idea about that ??

    Thanks
    Sajjad

  2. #2
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    no security issue, performance is fine, and sql injection is irrelevant

    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  3. #3
    Join Date
    Feb 2005
    Posts
    36
    thanx
    plz tell me about sql injection
    Regards,
    Sajjad
    C U ON NET
    reply me : sajjaddotnet@yahoo.com

  4. #4
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    you may find out more about sql injection here
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  5. #5
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    Provided Answers: 1
    Quote Originally Posted by r937
    ...sql injection is irrelevant
    Care to elaborate?
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

  6. #6
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    irrelevant in the context of the given question

    there's no way that this --
    Code:
    Select Column1 + ' bla bla ' + Column2 as MyColumn from MyTable
    will pose an sql injection threat, since the values are already in the table

    i usually try to restrict myself to answering questions always within the context of the question -- for example, replication and backup are irrelevant here, too
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  7. #7
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    Provided Answers: 1
    Depends upon whether 'blah blah' is passed as a variable.
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

  8. #8
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    ' bla bla ' is a constant string in this context, isn't it

    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  9. #9
    Join Date
    Jun 2003
    Location
    Ohio
    Posts
    12,592
    Provided Answers: 1
    I think it is unclear from his original post, which is why I was concerned that your response would be misconstrued.

    Hard-coded dynamic sql = Injection free.
    Concatenated parameters = Injection warning.
    If it's not practically useful, then it's practically useless.

    blindman
    www.chess.com: "sqlblindman"
    www.LobsterShot.blogspot.com

  10. #10
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    ooh, i like it when you get concerned -- don't stop

    you are right, sql injection is serious business, and perhaps it's a good idea to mention it in every situation where it might poke its ugly little snoot
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  11. #11
    Join Date
    Feb 2005
    Posts
    36
    thanx for all
    Regards,
    Sajjad
    C U ON NET
    reply me : sajjaddotnet@yahoo.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •