SQL contains clause validation problem

M

matt

Hi,

I'm writing a visual basic application which searches a database of e-mail
messages, based on certain criteria. I'm using dynamic SQL and an exec
sp_executesql statement on the dynamic sql string. I'm using full text
indexing, and a contains clause to search certain columns, and I'm trying to
figure out the best way to validate the input passed from visual basic to my
sql query. SQL has certain "noise" words that are ignored, and generate
errors in my program. The requirement for the validation is...
1. search strings cannot start with (and, or, not)
2. single search terms must be surrounded by quotes, and cannot be a noise
word.
3. phrases(two or more words separated by spaces) must be surrounded by
quotes, and may contain noise words, but all words within the phrase must
not be noise words.
I found trying to write something to validate this is quite a headache, and
I was wondering if anyone had thoughts on an efficient way to do this. A
list of noise words can be found at:
http://beinecke.library.yale.edu/SQLIgnoredWords.html

The part of the dynamic sql search looks like this:
IF @SubjectSearch IS NOT NULL
select @sql = @sql + ' AND CONTAINS(M.Subject, @xSubjectSearch)'

Thanks in advance.


-Matt
 
M

Mary Chipman

I'm wondering why you need to filter out noise words when SQL Server
will do it for you? If you need to validate your input strings, use
regular expressions -- here's a link to the help topic:
ms-help://MS.VSCC.2003/MS.MSDNQTR.2004APR.1033/cpguide/html/cpconCOMRegularExpressions.htm

Also, be aware that using sp_executesql to execute dynamic SQL is a
good way to leave your database open to SQL injection attacks and is
not recommended. There's a lot of good info available if you google
"sql injection SQL Server".

--Mary
 
M

matt

Mary,

We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.


-Matt
 
M

Mary Chipman

We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.
Click to expand...

Just wanted to rule out the possibility that you didn't know what you
were doing in that regard :)

--Mary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Generate a SQL statement like a search engine 1
SQL CONTAINS clause parameter substitution problem 3
CONTAINS clause problem with apostrophe 1
Is it SQL 2008 or VB 2008 problem? I don't know 1
Combo Box from SQL 2
connection to sql server 2005 problem 5
Dynamically create stored procedure in sql server from a vb.netwindows forms app 6
SQL Contains query 3

Top