Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
lucsky8
Posting Yak Master
105 Posts |
 Posted - 2010-06-16 : 14:24:48
|
Hi i will try to explain my problem the best i can.I have an aspx page that call a SP in sql serverThe aspx have dynamic checkbox. The number of checkbox can vary.Here the query i have now :Ex : @strSchoolCd = the checkbox from the aspx@strSchoolCd = '1,5,6,8'I need to create a select statement where strSchoolCd = 1 or strSchoolCd = 5 etc.. depeding on the numer of checkboxAny idea how to do it?I know i probably have to create a temp table and use some sort of split function but i have no idea how to do thatSELECT scx.strEmail FROM synvStudents as ssINNER JOIN tblStudentXContact as scx ON ss.strNBEN = scx.strNBENWHERE ss.bitActive = 1 AND ss.strSchoolCd = @strSchoolCd AND scx.strEmail <> '' Tks |
|
|
vijayisonly
Master Smack Fu Yak Hacker
1836 Posts |
Posted - 2010-06-16 : 15:05:51
|
| Chk this. Have a look at both the solutions provided.http://www.sqlteam.com/article/introduction-to-dynamic-sql-part-2 |
 |
|
|
lucsky8
Posting Yak Master
105 Posts |
Posted - 2010-06-17 : 07:41:09
|
quote:
Originally posted by vijayisonly
Chk this. Have a look at both the solutions provided.http://www.sqlteam.com/article/introduction-to-dynamic-sql-part-2
Hi perfect tks, it working great!Here what i use in only a part of the spTks again for the link!DECLARE @SQL VarChar(1000), @intError INT, @strErrorMessage VARCHAR(200), @intRowCount INT; Select @SQL = 'SELECT scx.strEmail FROM synvStudents as ss INNER JOIN tblStudentXContact as scx ON ss.strNBEN = scx.strNBEN ' Select @SQL = @SQL + 'WHERE ss.bitActive = 1 AND scx.strEmail <> '''' AND ss.strSchoolCd = ' + @strSchoolCd + ' AND ss.strGradeLevel in (' + @strGradeLevel +')' Exec ( @SQL) |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
|
|
lucsky8
Posting Yak Master
105 Posts |
Posted - 2010-06-17 : 13:51:16
|
[quote]Originally posted by GilaMonster
Careful, that's vulnerable to SQL injection as written.http://sqlinthewild.co.za/index.php/2009/03/19/catch-all-queries/http://sqlinthewild.co.za/index.php/2009/04/03/dynamic-sql-and-sql-injection/Hi tks for the concern.If i use this in a stored procedure and the user is only able to check some checkbox in the aspx page, is it still vulnerable to SQL injection?For SQL injection i tought i the user had to be able to insert a string?Tks for your expertise!!Luc |
|
|
|
madhivanan
Premature Yak Congratulator
22864 Posts |
|
|
urzsuresh
Starting Member
30 Posts |
Posted - 2010-06-18 : 04:57:10
|
quote:
Originally posted by lucsky8
Hi i will try to explain my problem the best i can.I have an aspx page that call a SP in sql serverThe aspx have dynamic checkbox. The number of checkbox can vary.Here the query i have now :Ex : @strSchoolCd = the checkbox from the aspx@strSchoolCd = '1,5,6,8'I need to create a select statement where strSchoolCd = 1 or strSchoolCd = 5 etc.. depeding on the numer of checkboxAny idea how to do it?I know i probably have to create a temp table and use some sort of split function but i have no idea how to do thatSELECT scx.strEmail FROM synvStudents as ssINNER JOIN tblStudentXContact as scx ON ss.strNBEN = scx.strNBENWHERE ss.bitActive = 1 AND ss.strSchoolCd = @strSchoolCd AND scx.strEmail <> '' Tks
May i know,which version of db(2000 or 2005 or 2008) that you are usingSuri |
|
|
|
|
|
|
|
|
Select with a dynamic where