Results 1 to 3 of 3
  1. #1
    Join Date
    Mar 2002
    Posts
    14

    Unanswered: Parameterized Make-Table Query: HELP!!!


    Please help! I am trying to build an ASP application based on existing Access database. I have make-table query that I am trying to run. I found out that I cannot directly run it, so I copied the SQL code into ASP. The problem is this query is based on other queries that use parameters entered by user.
    How do I write -- syntax ? my parameters? The HAVING clause is giving error.

    To run select query with parameters is straight forward :
    strQuery = "query1 '"&param1&"','"&param2&"'
    RS.open strQuery, MyConn, 0,4

    Thanks in advance.

  2. #2
    Join Date
    Oct 2002
    Location
    Cape Town, South Africa
    Posts
    253
    No! No! No!
    To run select query with parameters is straight forward :
    strQuery = "query1 '"&param1&"','"&param2&"'
    RS.open strQuery, MyConn, 0,4
    Never ever use concatenation for your sql statements. Using the code you showed, a malicious user can delete all data from your database or even drop your database. Rather use ADO parameters. Investigate: Command.Parrameters.Add method.

    And your sql will look something like:
    "select [columnlist] from [tablelist and joins] where [column] = ?"
    The ? is for the parameter which ADO substitutes for you. This method ensures that no DML or DDL commands can piggy back you query.

  3. #3
    Join Date
    Mar 2002
    Posts
    14
    I am new to ASP and SQL, I had no idea that this code can be dangerous. Here is the link to the article I found on the net:
    http://www.xefteri.com/articles/apr302002/default.aspx

    This actually helped me a lot, because I have 10-15 queries that are run before the one I actually call here, and the parameters are mainly required in the previous queries. How do I do this safely on sql?
    Thank you

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •