How to use dates in WHERE in SQL Server

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

How to use dates in WHERE in SQL Server

Message

11/06/2008 19:10:27

Cetin Basoz
Engineerica Inc.
Izmir, Turquie

10/06/2008 17:23:49

William Kuhn
The Kuhn Group, Inc.
St Marys, Kansas, États-Unis

Information générale

Forum:

Microsoft SQL Server

Catégorie:

Autre

Titre:

Re: How to use dates in WHERE in SQL Server

Divers

Thread ID:

01322704

Message ID:

01323322

Vues:

>>>
>>>Thank you for the explanation. Do I understand correctly that when you use the "?parameter" approach you are not opening database to the public? And when you are sending a SQL string to be executed on the server, you are?
>>
>>Yes, with parameter approach your calls are immune to attack. With string building approach you let people to be able to do anything that connected user could do (like querying sensitive data, deleting tables, ...).
>>Cetin
>
>
>You are still sending open SQL statements across to the SQL server. The fact that you add the date to the command via parameter or straight text doesn't change the string you are sending to the server does it? It is still a raw SQL command.
>
>AFAIK to prevent SQL injection, the idea is to NOT send raw SQL commands to the server - Instead call stored procedures and send parameters - the hacker does not see database structure that way.

No you are not sending staright SQL strings but parameterized calls. SPs do not prevent you from SQL injection attack. It is still parameters that is protecting you.
Cetin

Çetin Basöz

The way to Go
Flutter - For mobile, web and desktop.
World's most advanced open source relational database.
.Net for foxheads - Blog (main)
FoxSharp - Blog (mirror)
Welcome to FoxyClasses

LinqPad - C#,VB,F#,SQL,eSQL ... scratchpad

Répondre

Fil

Voir

Click here to load this message in the networking platform