Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
slserra
Starting Member
19 Posts |
 Posted - 2004-08-25 : 15:33:33
|
| I have an application that allows users to build SQL tables from a web interface. I'm adding the ability to support computed columns but need some help in validating the user's input.I am looking for a way to take an input string and determine whether it contains valid sql syntax. Here's some sample strings for table Table_100:[Column_1234]+' '+[Column_1235]or[Column_1237]*1.5orDateAdd(hour,24,getdate())The first two strings use columns that already exist in the table. The 3rd example does not use an existing table.Since the app builds tables on the fly, the DDL is built into a string and then I exec the string using 'exec (@strSQL)'. I thought about using SET NOEXEC ON and then executing the sql but this does not execute the 'exec (@strSQL)' statement.Any ideas on how this validation can be accomplished?Steve |
|
|
byrmol
Shed Building SQL Farmer
1591 Posts |
Posted - 2004-08-25 : 17:59:20
|
| Steve,Look at SET PARSEONLY ON....DavidM"Always pre-heat the oven" |
 |
|
|
slserra
Starting Member
19 Posts |
Posted - 2004-08-25 : 18:20:41
|
quote:
Originally posted by byrmol
Steve,Look at SET PARSEONLY ON....DavidM"Always pre-heat the oven"
Thanks for the suggestion but unfortunately PARSEONLY cannot be used within a stored procedure. Any other thoughts? |
|
|
|
byrmol
Shed Building SQL Farmer
1591 Posts |
Posted - 2004-08-25 : 19:07:41
|
| I take it you are in an environment where it is access via SPs or not at all.Considering the sql injection threat is still there (EXEC), a SP is useless for this type of work.Build the statement in the client and execute directly.DavidM"Always pre-heat the oven" |
|
|
|
|
|
|
SQL Expression Validation