SQL statement - 'chop' phrase
in [Server Configuration]
|
Prev: Joines Ralated
Next: SQL 2005 Query Response Time
From: Plamen Ratchev on 27 Dec 2009 11:51 I am very curious if one does not accept that parameterized queries are the safe approach to SQL Injection, what is considered a "safe" method to implement search based on Web (or any client) entry form. -- Plamen Ratchev http://www.SQLStudio.com
From: Jay on 27 Dec 2009 14:19 You must be building a poor man's search engine. I would setup full-text search and write a procedure to search for the terms passed in (as parameters) from the web page. "Plamen Ratchev" <Plamen(a)SQLStudio.com> wrote in message news:ooSdnZNRTp3kDarWnZ2dnUVZ_sJi4p2d(a)speakeasy.net... >I am very curious if one does not accept that parameterized queries are the >safe approach to SQL Injection, what is considered a "safe" method to >implement search based on Web (or any client) entry form. > > -- > Plamen Ratchev > http://www.SQLStudio.com
From: Erland Sommarskog on 27 Dec 2009 14:46 Jay (spam(a)nospam.org) writes: > You must be building a poor man's search engine. > > I would setup full-text search and write a procedure to search for the > terms passed in (as parameters) from the web page. You don't set up full-text to support a URL like: www.host.com/product.aspx?productid=12345 -- Erland Sommarskog, SQL Server MVP, esquel(a)sommarskog.se Links for SQL Server Books Online: SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx SQL 2000: http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
From: Plamen Ratchev on 27 Dec 2009 16:28 Then I guess you did not read any of my posts, as since the beginning I have been proposing the following solution (which is exactly full-text search with parameters): DECLARE @keywords NVARCHAR(30); SET @keywords = N'brown fox'; SET @keywords = REPLACE(@keywords, ' ', ' AND '); SELECT * FROM FullTextTest WHERE CONTAINS(*, @keywords); -- Plamen Ratchev http://www.SQLStudio.com
From: Jay on 27 Dec 2009 19:29
> You don't set up full-text to support a URL like: > > www.host.com/product.aspx?productid=12345 > I would hope that would be a clustered index lookup, or a partitioned table. |