How To Make A 'Safe' Flexible Query?

[Marauderz]

I'm just about to make Yet Another Search Form For A DB Application. I'd
just like to ask.. if I were able to search based upon a different number of
columns, say sometimes firstname, sometimes lastname, sometimes both? what's
the best way to create a query?

Definetly not
strSelect="Select * from Authors where " & QueryCol1 & "=@QueryValue1 and "
& QueryCol2 & "=@QueryValue2"

Or something to that matter right? Since that's just asking for some sort of
sql injection attack to happen.?

Thanks.

 

[Miha Markic [MVP C#]]

Hi,

I'm just about to make Yet Another Search Form For A DB Application. I'd
just like to ask.. if I were able to search based upon a different number of
columns, say sometimes firstname, sometimes lastname, sometimes both? what's
the best way to create a query?

Definetly not
strSelect="Select * from Authors where " & QueryCol1 & "=@QueryValue1 and "
& QueryCol2 & "=@QueryValue2"

Or something to that matter right? Since that's just asking for some sort of
sql injection attack to happen.?

Why not? Those are parameters afterall and not subject to injection attack.
If you put it this way:
strSelect="Select * from Authors where " & QueryCol1 & "='" + textvalue + "'
and "..
this *would be risky*.

 

[Marauderz]

I know.. guess I'm just a bit paranoid over any sort of string concatenation
=P