Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
How to use dates in WHERE in SQL Server
Message
From
11/06/2008 19:10:27
Cetin Basoz
Engineerica Inc.
Izmir, Turkey
 
General information
Forum:
Microsoft SQL Server
Category:
Other
Title:
Re: How to use dates in WHERE in SQL Server
Miscellaneous
Thread ID:
01322704
Message ID:
01323322
Views:
29
>>>
>>>Thank you for the explanation. Do I understand correctly that when you use the "?parameter" approach you are not opening database to the public? And when you are sending a SQL string to be executed on the server, you are?
>>
>>Yes, with parameter approach your calls are immune to attack. With string building approach you let people to be able to do anything that connected user could do (like querying sensitive data, deleting tables, ...).
>>Cetin
>
>
>You are still sending open SQL statements across to the SQL server. The fact that you add the date to the command via parameter or straight text doesn't change the string you are sending to the server does it? It is still a raw SQL command.
>
>AFAIK to prevent SQL injection, the idea is to NOT send raw SQL commands to the server - Instead call stored procedures and send parameters - the hacker does not see database structure that way.

No you are not sending staright SQL strings but parameterized calls. SPs do not prevent you from SQL injection attack. It is still parameters that is protecting you.
Cetin
Çetin Basöz

The way to Go
Flutter - For mobile, web and desktop.
World's most advanced open source relational database.
.Net for foxheads - Blog (main)
FoxSharp - Blog (mirror)
Welcome to FoxyClasses

LinqPad - C#,VB,F#,SQL,eSQL ... scratchpad
Previous
Reply
Map
View

Click here to load this message in the networking platform