Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > ADO recordset paging

Reply
Thread Tools

ADO recordset paging

 
 
Ing. Branislav Gerzo
Guest
Posts: n/a
 
      06-24-2005
Hi all,

I was at http://aspfaq.com/show.asp?id=2120, read all techniques.
I choose the fasted one - it is the last "SP ROW COUNT".
SP looks like:
CREATE PROCEDURE SampleCDs_Paging_Rowcount
@pagenum INT = 1,
@perpage INT = 50
AS

The problem is, I want dynamically change SQL select (because I want
filter output by something - name, author, year, order and so on).
So I thought, it could be nice idea to call stored procedure with
added 3 SQL SELECTS as arguments. So it should look like:
CREATE PROCEDURE SampleCDs_Paging_Rowcount -- change name
@pagenum INT = 1,
@perpage INT = 50,
@SQL1 nvarchar(1000),
@SQL2 nvarchar(1000),
@SQL3 nvarchar(1000)
AS

What do you think about that ?

 
Reply With Quote
 
 
 
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      06-24-2005
Ing. Branislav Gerzo wrote:
> Hi all,
>
> I was at http://aspfaq.com/show.asp?id=2120, read all techniques.
> I choose the fasted one - it is the last "SP ROW COUNT".
> SP looks like:
> CREATE PROCEDURE SampleCDs_Paging_Rowcount
> @pagenum INT = 1,
> @perpage INT = 50
> AS
>
> The problem is, I want dynamically change SQL select (because I want
> filter output by something - name, author, year, order and so on).
> So I thought, it could be nice idea to call stored procedure with
> added 3 SQL SELECTS as arguments. So it should look like:
> CREATE PROCEDURE SampleCDs_Paging_Rowcount -- change name
> @pagenum INT = 1,
> @perpage INT = 50,
> @SQL1 nvarchar(1000),
> @SQL2 nvarchar(1000),
> @SQL3 nvarchar(1000)
> AS
>
> What do you think about that ?


Hackers will love it. Read these articles about SQL Injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf


Read this article by Erland Sommerskag for ideas about dynamic search
conditions: http://www.sommarskog.se/dyn-search.html. While you're there,
browse through the rest of the articles on his site, they are extremely
worthwhile.

Bob Barrows


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
 
Ing. Branislav Gerzo
Guest
Posts: n/a
 
      06-24-2005
Bob Barrows [MVP] [BB], on Friday, June 24, 2005 at 08:39 (-0400)
thinks about:

BB> Hackers will love it. Read these articles about SQL Injection:

yes, I know. So I change all the design and switched to Recordset.Move()
in ASP, no more SP. In ASP I will dynamically create SQL and so on,
but
ofcourse will check GET/POST args.

BB> http://mvp.unixwiz.net/techtips/sql-injection.html
BB> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
BB> http://www.nextgenss.com/papers/adva..._injection.pdf
BB> http://www.nextgenss.com/papers/more..._injection.pdf

thanks for links, will read that!

--

How do you protect mail on web? I use http://www.2pu.net

[I'll take 'Famous Turkowskis' for $1000, Alex.]

 
Reply With Quote
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      06-24-2005
Ing. Branislav Gerzo wrote:
> Bob Barrows [MVP] [BB], on Friday, June 24, 2005 at 08:39 (-0400)
> thinks about:
>
>> Hackers will love it. Read these articles about SQL Injection:

>
> yes, I know. So I change all the design and switched to
> Recordset.Move() in ASP, no more SP.


Then you may still be vulnerable to sql injection if you are using user
input to build dynamic sql statements. Make sure you read those articles.

For an safe alternative to dynamic sql that does not require a stored
procedure, read:

http://groups-beta.google.com/group/...e36562fee7804e

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ADO recordset problem Khurram Hanif ASP .Net 1 05-05-2005 09:18 PM
Accessing an ADO Recordset or Record from ADO.NET nita ASP .Net 1 11-20-2004 07:06 AM
Load XML from ADO Recordset Mac ASP .Net 5 01-15-2004 05:35 PM
RecordSet.Move or RecordSet.AbsolutePosition?? Hung Huynh ASP General 8 09-24-2003 11:07 AM
Vb6 object returning ADO Recordset - Error in .NET Developer ASP .Net 0 08-11-2003 03:27 PM



Advertisments