[AccessD] Upsize?

Michael Maddison michael at ddisolutions.com.au
Tue Dec 20 17:15:49 CST 2005


Marty,

I can guard against SQL Injection.  
In my instance the db is a reporting tool which has very little data that cannot
be recreated (given a worst case scenario).

How would you write a sproc that has 80 variable combo's of Select columns
and approx 50 variable Where parts?  

cheers

Michael M

SQL injection is the problem.

Michael Maddison wrote:

>Hi Jürgen,
>
>When faced with the same problem I went dynamic.  Every other option 
>just as you say looks ugly.
>I never found a good alternative, no one has offered one this time either.  
>It seems to me that in situations like this the 'developers' go with 
>dynamic SQL, the dba's moan ;-)
>
>cheers
>
>Michael M
>
>
>
>Michael:
>
>With variable joins, do you point somthing like a list source of search 'hits' to different queries, one query for each join, or how do you handle variable combinations of joins?  Lets say there is 1 table that may be joined to 0 to 5 other tables in various combinations, being 32 possible querydefs.  I've always constructed the SQL in code and was very satisfied with the performance.  Add another table and you're up to 64 querydefs.  
>That's ugly.
>
>
>
>Ciao
>Jürgen Welz
>Edmonton, Alberta
>jwelz at hotmail.com
>
>
>
>
>
>  
>
>>From: "Michael Maddison" <michael at ddisolutions.com.au>
>>
>> Hi Jürgen,
>>
>>If you go with variable parameters check out the 'With Recompile' option.
>>It forces a new execution plan each time the procedure is run and 
>>overcomes SQL's 'parameter sniffing' problem.
>>
>>cheers
>>
>>Michael Maddison
>>
>>DDI Solutions Pty Ltd
>>michael at ddisolutions.com.au
>>Bus: 0260400620
>>Mob: 0412620497
>>www.ddisolutions.com.au
>>    
>>
>
>
>  
>

--
Marty Connelly
Victoria, B.C.
Canada



-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com



More information about the AccessD mailing list