How To Make A 'Safe' Flexible Query?

  • Thread starter Thread starter Marauderz
  • Start date Start date
M

Marauderz

I'm just about to make Yet Another Search Form For A DB Application. I'd
just like to ask.. if I were able to search based upon a different number of
columns, say sometimes firstname, sometimes lastname, sometimes both? what's
the best way to create a query?

Definetly not
strSelect="Select * from Authors where " & QueryCol1 & "=@QueryValue1 and "
& QueryCol2 & "=@QueryValue2"

Or something to that matter right? Since that's just asking for some sort of
sql injection attack to happen.?

Thanks.
 
Hi,

Marauderz said:
I'm just about to make Yet Another Search Form For A DB Application. I'd
just like to ask.. if I were able to search based upon a different number of
columns, say sometimes firstname, sometimes lastname, sometimes both? what's
the best way to create a query?

Definetly not
strSelect="Select * from Authors where " & QueryCol1 & "=@QueryValue1 and "
& QueryCol2 & "=@QueryValue2"

Or something to that matter right? Since that's just asking for some sort of
sql injection attack to happen.?
Click to expand...

Why not? Those are parameters afterall and not subject to injection attack.
If you put it this way:
strSelect="Select * from Authors where " & QueryCol1 & "='" + textvalue + "'
and "..
this *would be risky*.
 
Back
Top