Why won't Dynamic SQL Die?

Using the SqlConnectionStringBuilder to guard against Connection String Injection Attacks

Bill's House O Insomnia — Sun, 15 Jan 2006 15:50:02 GMT

One new object in the ADO.NET 2.0 Library worth taking a look at is the SqlConnectionStringBuilder&nbsp;.&nbsp;...

re: Why won't Dynamic SQL Die?

William — Tue, 27 Sep 2005 03:05:00 GMT

You're correct, for that instance, there's this http://support.microsoft.com/default.aspx?scid=kb;en-us;555167

re: Why won't Dynamic SQL Die?

William — Tue, 27 Sep 2005 02:43:00 GMT

this post look convincing... but what if in the 'where' part needs to use the reserved work 'like'?

such as "where someValue like '%" & something & %'"

I won't be able to use the @SomeValue and set parameters already, right?

re: Why won't Dynamic SQL Die?

William — Sat, 19 Mar 2005 09:21:00 GMT

Here you go:
1. Paging
2. Dynamic Search Conditions
3. Dynamic Filters
4. Dynamic Reports
5. Dynamic databse structure
6. Correctly constructed and executed dynamic SQL is as efficient as a Stored Procedure

Of course, stored procedures and paramterized queries are the way to go for structured data access, however, dynamic SQL is (unfortunatly) the only way in some dynamic scenarios.

re: Why won't Dynamic SQL Die?

William — Sat, 06 Nov 2004 22:06:00 GMT

You can still use Paramaterized Queries and construct the dynamically. You need to know this in advance anyway when using a regular dynamic sql construct, so by using Paramaters instead, you mitigate most of the potential damage that can be done.

re: Why won't Dynamic SQL Die?

William — Sat, 06 Nov 2004 21:36:00 GMT

what if you're not sure how many parameters will be used? how would you use your method for that?

Dynamic SQL

TrackBack — Sat, 24 Jul 2004 22:00:00 GMT

Dynamic SQL

Dynamic Sql

TrackBack — Tue, 06 Jul 2004 18:55:00 GMT

Dynamic Sql

re: Why won't Dynamic SQL Die?

William — Wed, 24 Mar 2004 12:17:00 GMT

Thanks Scorp. Yeah, i could definitely get used to this sort of thing..too bad there aren't any really high paying jobs who's onily requirement is attending these things.

I'll have some more info posted later today.

Cheers,

Bill

W.G. Ryan MVP
www.knowdotnet.com

re: Why won't Dynamic SQL Die?

William — Tue, 23 Mar 2004 22:23:00 GMT

Very cool plan. You ae so lucky I bet you are having a blast. I suspect a lot of people will turn on to this just because working with Excel and Word are so integral to our tasks in companies.

Reporting is my life such as it is. Is there a sample app in the 101 vb.net samples that demonstrate the SQL Server 2000 Reporting Services?

re: Why won't Dynamic SQL Die?

William — Tue, 23 Mar 2004 19:12:00 GMT

Scorp:

Have you had a chance to look at SQL Server 2000 Reporting Services? It's free, is extremely intuitive and allows you to flip from Design to Preview like Crystal Reports used to let you do. I got to play with it at DevDays last week and since then quite a bit. It's very very cool, and if you are doing a lot of reporting, it's well worth looking into.

When I get back Saturday, we'll talk some more about the article, but I think your code would be great and we can mix the Word stuff with it (and XML) and have ourselves a great little article.

Cheers,

Bill

re: Why won't Dynamic SQL Die?

William — Tue, 23 Mar 2004 19:09:00 GMT

Hey Scorp:

I posted these a few days ago, but it's not in relation to the code you showed me ;-). Looks suspicious I know, but it's been a pet peeve of mine for a while.

I actually have the code and it's definitely on my priority list. I've also found that AVG on an INT column has all kinds of rounding issues and I've yet been able to use a cast/convert effectively (even though the documentation says you can). Even if there is a valid work around, I know this has given a lot of people a lot of grief and the documentation needs updated. I'll be in touch later this evening and let you know what I find out.

Thanks again for writing and if you think of anything else, let me know.

Cheers,

Bill

re: Why won't Dynamic SQL Die?

William — Tue, 23 Mar 2004 15:17:00 GMT

Hey while you are there in the next ADO.NET update it would be nice if they would make the table.select and table.compute methods more flexible. You can show them that thread and ask them why filters were being ignored....

Just a thought.

re: Why won't Dynamic SQL Die?

William — Tue, 23 Mar 2004 15:10:00 GMT

I would be happy to contribute the excel code if you like.

Did you see my Word version?

I know I know I should know better than to use dynamic SQL but it was an internal application (within my network) and I didnt really feel that that was too much of a threat.

Crystal Reports - UGH I hate it.

It caused some very adverse effects on folks computers especially the Windows 2000 computers.

I don't like the limitations it puts on me. Sometimes I feel like I have to learn another language.

And to be honest, I love learning how to do what Crystal seems to make so easy. I don't want a tool that does everything for me. Call me crazy I guess....

By the way I am clicking on your site reguarly today.....:)