Pass search string to stored proc, but ....

[abs2003]

Hello all,
Someone out there may have the same question.
I have ASP.NET advance search page which contains 10 different textboxes. I build a query string bases on this textboxes. I submit to stored proc to pull these records. The problem is if a user enter 'delete * ' or something like that in one of the textbox, it will cause a very painful solution. Microsoft loop hole - How can we get around it?

Thanks, hope this will give you guys enough info.

abs

 

[gmmastros]

You should first create a stored procedure to return your data. Since you have 10 search criteria, you may need to get a little creative with the SP. This thread should help thread183-1094636

You then need to modify the asp.net code to use a command object. I'm not an asp kinda guy, but if you post in that forum, I'm sure someone could help.

Good luck.

-George

Strong and bitter words indicate a weak cause. - Fortune cookie wisdom

 

[abs2003]

Thank you for replying gmmasteros. I have an idea how I'm going to do
Create stored proc for each search.
Have a main dataset created
For each criteria, murge dataset with main dataset
I, then, select distinct record from main dataset.

 

[gmmastros]

If you work hard enough, you may be able to get your proposed solution to work. I suspect that it will be considerably slower than having 1 stored procedure to return the results.

-George

Strong and bitter words indicate a weak cause. - Fortune cookie wisdom

 

[abs2003]

I am working on it and will put my solution here for anyone who may run into the same problem.

 

[abs2003]

gmmasteros,
I use thread183-1094636 wich help. Thank you.

abs2003