Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Metcalf
Yak Posting Veteran
52 Posts |
 Posted - 2010-10-14 : 10:27:05
|
| I have a report request wherein the user inputs a string of text, and searches a part database for all instances of that particular text in a handful of pre-selected fields. Where I normally would use the DB to populate a drop down, I can't do that here - I have to accept text input. How do I do this without leaving the database vulnerable to malicious or stupid input? Even though the report would only be available on our intranet, all it takes is one disgruntled person... |
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2010-10-14 : 14:23:07
|
| Make sure all values are passed to SQL Server as parameters, and the values that users input are not used to build SQL statements.CODO ERGO SUM |
 |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2010-10-17 : 02:25:07
|
| you can also do some preliminary validation to check for spurious input by means of hidden parameter. just check the value of passed on parameter inside and then return boolean result based on if its valid or not------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
|
|
|
|
|
|
Reporting Services Parameter Validation