ADO recordset paging

  • Thread starter Ing. Branislav Gerzo
  • Start date

I

Ing. Branislav Gerzo

Hi all,

I was at http://aspfaq.com/show.asp?id=2120, read all techniques.
I choose the fasted one - it is the last "SP ROW COUNT".
SP looks like:
CREATE PROCEDURE SampleCDs_Paging_Rowcount
@pagenum INT = 1,
@perpage INT = 50
AS

The problem is, I want dynamically change SQL select (because I want
filter output by something - name, author, year, order and so on).
So I thought, it could be nice idea to call stored procedure with
added 3 SQL SELECTS as arguments. So it should look like:
CREATE PROCEDURE SampleCDs_Paging_Rowcount -- change name
@pagenum INT = 1,
@perpage INT = 50,
@SQL1 nvarchar(1000),
@SQL2 nvarchar(1000),
@SQL3 nvarchar(1000)
AS

What do you think about that ?
 
Ad

Advertisements

B

Bob Barrows [MVP]

Ing. Branislav Gerzo said:
Hi all,

I was at http://aspfaq.com/show.asp?id=2120, read all techniques.
I choose the fasted one - it is the last "SP ROW COUNT".
SP looks like:
CREATE PROCEDURE SampleCDs_Paging_Rowcount
@pagenum INT = 1,
@perpage INT = 50
AS

The problem is, I want dynamically change SQL select (because I want
filter output by something - name, author, year, order and so on).
So I thought, it could be nice idea to call stored procedure with
added 3 SQL SELECTS as arguments. So it should look like:
CREATE PROCEDURE SampleCDs_Paging_Rowcount -- change name
@pagenum INT = 1,
@perpage INT = 50,
@SQL1 nvarchar(1000),
@SQL2 nvarchar(1000),
@SQL3 nvarchar(1000)
AS

What do you think about that ?

Hackers will love it. Read these articles about SQL Injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf


Read this article by Erland Sommerskag for ideas about dynamic search
conditions: http://www.sommarskog.se/dyn-search.html. While you're there,
browse through the rest of the articles on his site, they are extremely
worthwhile.

Bob Barrows
 
I

Ing. Branislav Gerzo

Bob Barrows [MVP] [BB], on Friday, June 24, 2005 at 08:39 (-0400)
thinks about:

BB> Hackers will love it. Read these articles about SQL Injection:

yes, I know. So I change all the design and switched to Recordset.Move()
in ASP, no more SP. In ASP I will dynamically create SQL and so on,
but
ofcourse will check GET/POST args.

BB> http://mvp.unixwiz.net/techtips/sql-injection.html
BB> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
BB> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
BB> http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

thanks for links, will read that!
 
Ad

Advertisements

B

Bob Barrows [MVP]

Ing. Branislav Gerzo said:
Bob Barrows [MVP] [BB], on Friday, June 24, 2005 at 08:39 (-0400)
thinks about:
Hackers will love it. Read these articles about SQL Injection:

yes, I know. So I change all the design and switched to
Recordset.Move() in ASP, no more SP.

Then you may still be vulnerable to sql injection if you are using user
input to build dynamic sql statements. Make sure you read those articles.

For an safe alternative to dynamic sql that does not require a stored
procedure, read:

http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Bob Barrows
 

Top