ADO recordset paging

Discussion in 'ASP General' started by Ing. Branislav Gerzo, Jun 24, 2005.

  1. Hi all,

    I was at http://aspfaq.com/show.asp?id=2120, read all techniques.
    I choose the fasted one - it is the last "SP ROW COUNT".
    SP looks like:
    CREATE PROCEDURE SampleCDs_Paging_Rowcount
    @pagenum INT = 1,
    @perpage INT = 50
    AS

    The problem is, I want dynamically change SQL select (because I want
    filter output by something - name, author, year, order and so on).
    So I thought, it could be nice idea to call stored procedure with
    added 3 SQL SELECTS as arguments. So it should look like:
    CREATE PROCEDURE SampleCDs_Paging_Rowcount -- change name
    @pagenum INT = 1,
    @perpage INT = 50,
    @SQL1 nvarchar(1000),
    @SQL2 nvarchar(1000),
    @SQL3 nvarchar(1000)
    AS

    What do you think about that ?
     
    Ing. Branislav Gerzo, Jun 24, 2005
    #1
    1. Advertising

  2. Ing. Branislav Gerzo wrote:
    > Hi all,
    >
    > I was at http://aspfaq.com/show.asp?id=2120, read all techniques.
    > I choose the fasted one - it is the last "SP ROW COUNT".
    > SP looks like:
    > CREATE PROCEDURE SampleCDs_Paging_Rowcount
    > @pagenum INT = 1,
    > @perpage INT = 50
    > AS
    >
    > The problem is, I want dynamically change SQL select (because I want
    > filter output by something - name, author, year, order and so on).
    > So I thought, it could be nice idea to call stored procedure with
    > added 3 SQL SELECTS as arguments. So it should look like:
    > CREATE PROCEDURE SampleCDs_Paging_Rowcount -- change name
    > @pagenum INT = 1,
    > @perpage INT = 50,
    > @SQL1 nvarchar(1000),
    > @SQL2 nvarchar(1000),
    > @SQL3 nvarchar(1000)
    > AS
    >
    > What do you think about that ?


    Hackers will love it. Read these articles about SQL Injection:
    http://mvp.unixwiz.net/techtips/sql-injection.html
    http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
    http://www.nextgenss.com/papers/advanced_sql_injection.pdf
    http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf


    Read this article by Erland Sommerskag for ideas about dynamic search
    conditions: http://www.sommarskog.se/dyn-search.html. While you're there,
    browse through the rest of the articles on his site, they are extremely
    worthwhile.

    Bob Barrows


    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows [MVP], Jun 24, 2005
    #2
    1. Advertising

  3. Bob Barrows [MVP] [BB], on Friday, June 24, 2005 at 08:39 (-0400)
    thinks about:

    BB> Hackers will love it. Read these articles about SQL Injection:

    yes, I know. So I change all the design and switched to Recordset.Move()
    in ASP, no more SP. In ASP I will dynamically create SQL and so on,
    but
    ofcourse will check GET/POST args.

    BB> http://mvp.unixwiz.net/techtips/sql-injection.html
    BB> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
    BB> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
    BB> http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

    thanks for links, will read that!

    --

    How do you protect mail on web? I use http://www.2pu.net

    [I'll take 'Famous Turkowskis' for $1000, Alex.]
     
    Ing. Branislav Gerzo, Jun 24, 2005
    #3
  4. Ing. Branislav Gerzo wrote:
    > Bob Barrows [MVP] [BB], on Friday, June 24, 2005 at 08:39 (-0400)
    > thinks about:
    >
    >> Hackers will love it. Read these articles about SQL Injection:

    >
    > yes, I know. So I change all the design and switched to
    > Recordset.Move() in ASP, no more SP.


    Then you may still be vulnerable to sql injection if you are using user
    input to build dynamic sql statements. Make sure you read those articles.

    For an safe alternative to dynamic sql that does not require a stored
    procedure, read:

    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

    Bob Barrows

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows [MVP], Jun 24, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Developer
    Replies:
    0
    Views:
    503
    Developer
    Aug 11, 2003
  2. Mac

    Load XML from ADO Recordset

    Mac, Jan 13, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    745
  3. nita
    Replies:
    1
    Views:
    908
    Saravana
    Nov 20, 2004
  4. Khurram Hanif

    ADO recordset problem

    Khurram Hanif, May 5, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    487
    Robbe Morris [C# MVP]
    May 5, 2005
  5. Hung Huynh
    Replies:
    8
    Views:
    349
    Bob Barrows
    Sep 24, 2003
Loading...

Share This Page