Results 1 to 7 of 7

Thread: [RESOLVED] SQL Statement for newbie !

Threaded View

  1. #5
    PowerPoster techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,687

    Re: SQL Statement for newbie !

    1) You really shouldn't be using generic sql like that.... you should use specific SQL, where the Table and field(s) are known.
    Code:
    strSQL = "SELECT * FROM MyTable WHERE myField = " & "'" & adoCombo.Text & "'"
    2) Now is a good time to learn about parameterized queries. It's the use of " AND ' that is your problem. They are used by SQL as text indicators.... more on the solution in a sec

    3) Another reason fo parameterized queries is security. LEt's use your query as an example:
    Code:
    strSQL = "SELECT * FROM MyTable WHERE myField = " & "'" & adoCombo.Text & "'"
    What would happen if adboCombo contained this: '; DELETE * FROM someTable; SELECT * FROM Users WHERE Uname = '

    Your resulting SQL would look like this:
    SELECT * FROM MyTable WHERE myField = ''; DELETE * FROM someTable; SELECT * FROM Users WHERE Uname = ''

    As you can see.... that would be very bad, now wouldn't it?

    But if you use a parameterized query:
    Code:
    strSQL = "SELECT * FROM MyTable WHERE myField = @FldParam"
    Then use the .CreateParameter (of the command object) to create a paremeter and it's value to pass in, then add it to the parameters collection using .Parameters.Add (again, in the command object).

    Hope this is enough info to get you started looking in the right places

    -tg


    edit: ugh... Gary - geezes... what's with the grep solution? Why does eveyone think that solves things? IMHO that just makes it worse since you're modifying data. Data should never be modified just to store it in the DB. Hack - this trout's for you while syntaticaly correct, there's everything wrong with it.
    Last edited by techgnome; Sep 5th, 2006 at 09:46 AM. Reason: Gary & Hack posted while I was composing.
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width