sql server - Searching on a table whose name is defined in a variable -

-

Text after "

Simple problem, but maybe a simple solution, at least I have one on top of my head, but can not think again I am not the best to find the best solution.

I have a stored procedure, it selects the stored procedure on one base (in a basic form), it implies: 

 Select  to mytable < / Code>

OK, quite simple, except for the table name, there is no need to search on it, so we ended up with something very similar to this: 

  - Just variable INT set @metaInfoID = 1 declared @metaInfoTable will be used as the @metaInfoID declaration as VARCHAR Area to choose to give some reference (200) @metaInfoTable = MetaInfoTableName MetaInfos where MetaInfoID = @MetaInfoID VARCHAR (200) set select @sql announced = 'as @sql * the' + @metaInfoTable EXEC @ Sql

So, I know it's finally bad, and can immediately see how I can do SQL injection attacks. So, the question is whether there is any way to achieve the same results without the creation of dynamic SQL? Or am I super, am going to be super careful in my client code?

To use

You have dynamic SQL if you do not know the table name. But yes, the value should be valid before you try to use it in a SQL statement.

Example 

  if exists (select * INFORMATION_SCHEMAkTABLES where TABLE_NAME = @ metaInfoTable) BEGIN - SELECT * FROM @metaInfoTable dynamic SQL END

This will ensure that there is a table with that name. This is clearly an overhead because you are inquiring about INFORMATION_SCHEMA. Instead, you can include only some valid characters valid in @metaInfoTable: 

  - Running dynamic SQL only if the table name's value is 0-9, az, AZ, underscore or spaces ( Bracket in the square, if it contains empty space) IF NOT @metaInfoTable '% ^ [0-9a-zA-Z _]%' BEGIN - Select SELECT * FROM @metaInfoTable Dynamic SQL END  < / Pre>

Comments

Post a Comment

Popular posts from this blog

email - PHP mail error ... failed to open stream : permission denied -

-
I am trying to send an email using PHP mail. I get the following error: WARNING: Unknown: Failed to open the stream: Permission denied in unknown in line 0 Fatal error: unknown: required to open the required '/ Home Php $ name = $ _REQUEST ['name']; $ Email = $ _REQUEST ['email']; $ Theme = $ _REQUEST ['subject']; $ Message = $ _REQUEST ['message']; Mail ("myemail@myhost.com", "topic title", $ message, "sender: $ email"); Header ("Location: http://www.google.com"); ? & Gt; This message is not a mail error PHP file can not open ask_us.php if ask_us If the .php is your file, then check its permissions (and parent folders).
Read more

c# - ListView onScroll event -

-
I am programming a simple C # application, and I need a Scallow event on the list view. So I inherited the original ListView class created in ListviewEx witch. I found out how to locate the scroll message from WinAPI and I modified the WndProc method. Now I have this WndProc: protected override zero WndProc (Ref message message) {base.WndProc (Ref I); If (m.msg == WM_VSCROLL) {onScroll (This, New EventArgs ()); }} But the problem is, I do not know how to know about scrolling information. This data should be in wParam, but there is a LOWORD macro ++ like in C in C # and I switch to find the criteria like SB_ below, SB_ENDSCROLL, SB_PAGEUP etc. there any way Need to change the LOWORD macro from C #? Or any other way to find the necessary parameters about scrolling? You can define the WParam constants as the following: Private const int WM_HSCROLL = 0x114; Private Constant WM_VSCROLL = 0x115; Private contact int SBHOZZ = 0; Private Consultant SB_VERT = 1; Private Con...
Read more

c - Linux mmap() error -

-
I have a memory map file, out of which I want to parse the content of the buffer. MMAP () achieves success, and I can successfully use fprintf to print the buffer content in the file. However, when I try to access Buffer as an array in my program directly, I get a partition error. Why is this happening? Here's the code: #define PTT_DUMP "/ home / druru / somefile". . Int fd_ptt_dump = Open (PTT_DUMP, O_RDONLY); Structure state struct_ptt_dump; Fstat (fd_ptt_dump, & amp; struct_ptt_dump); Printf ("\ n \ n \ t \ t \ t --- Size of dump =% d ----- \ n \ n", struct_ptt_dump.st_size); Four * membuffer; Four pid_num [100]; Four cycles [100], examples [100], CPI [100]; Int pid_index = 0; Int cycles_index = 0; Int instr_index = 0; Int cpi_index = 0; Int len ​​= (int) struct_ptt_dump.st_size; Int newline_count = 0; Int n = 0; If ((membuffer = mmap (0, struct_ptt_dump.st_size, PROT_READ, MAP_FILE | MAP_PRIVATE, fd_ptt_dump, 0)) == (caddr_t) -1) err_sys ("mm...
Read more