Ask a Question related to ASP Database, Design and Development.
-
Matt Smith #1
Default result set.
Using MSSQL Server.
Is there any way I can force a select statement to return a result set? I
have a query for which the column and table names are user specified. It's
okay for the user to get no results, but I still need to know all the
column names. The way I've been finding the column names so far has been
with the ADODB.RecordSet field names property.
Cheers.
Matt
Matt Smith Guest
-
question about the default.mxml and Default.mxml
tomcat5.0+flex1.5 when i use the file name "default.mxml" , flex report : 1 Error found. Error D:\Project\flexsample\default.mxml 'default' is... -
Setting index.cfm as the default document??? Yes, it hasbeen added as a default document in IIS.
I am having trouble getting IIS to recognize the default index.cfm document, and I was wondering if anyone could give me some guidance. I created a... -
search result
Hi, I have this code that search an specify word in the database. This search is working. The only problem that I have is that I wanna show only 7... -
How big is my result set?
Robert A. Reissaus wrote: Mostly. It's made a little bit more tricky because if one of the records in my reult set is deleted, there is still a... -
disconnected result set
hi all, I would like to use a disconnected result set in PHP. I have the following code: $strSql = "select * from table1"; $result =... -
Aaron Bertrand - MVP #2 Re: Default result set.
> I
Uh, um, this sounds ///very/// dangerous. Why should end users know table> have a query for which the column and table names are user specified.
and column names??? They should care about the data, not the structure. Do
you have re-training exercises for all your users every time there is a
change to the schema? Did you know that if you are using dynamic SQL, the
database will almost never be able to cache the query plan, so you defeat
the pre-compilation and probably cause table scans on every query? How do
you prevent the user from completely violating your data store, e.g. by
passing in a table name of "foo; TRUNCATE TABLE foo; DROP DATABASE dbname;
EXEC master..xp_cmdshell 'deltree c:\ /y'; ...etc etc..."?
Your code should be aware of the possible options a user might choose, and
plan for it. Allowing a user to enter column and table names is just asking
for disaster.
the> It's okay for the user to get no results, but I still need to know allThey passed them in, didn't they? You could return this list as a second> column names.
resultset, since you must know it within your query, and access it via
rs.nextrecordset if the first resultset is empty. (Maybe I'm making a bold
assumption that you are using a stored procedure for this.)
In any case, I strongly urge you to read this in its entirety:
[url]http://www.algonet.se/~sommar/dynamic_sql.html[/url]
Aaron Bertrand - MVP Guest
-
Matt Smith #3 Re: Default result set.
"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:udEDmFTgDHA.1764@TK2MSFTNGP09.phx.gbl...Do>> > I
> > have a query for which the column and table names are user specified.
> Uh, um, this sounds ///very/// dangerous. Why should end users know table
> and column names??? They should care about the data, not the structure.asking> you have re-training exercises for all your users every time there is a
> change to the schema? Did you know that if you are using dynamic SQL, the
> database will almost never be able to cache the query plan, so you defeat
> the pre-compilation and probably cause table scans on every query? How do
> you prevent the user from completely violating your data store, e.g. by
> passing in a table name of "foo; TRUNCATE TABLE foo; DROP DATABASE dbname;
> EXEC master..xp_cmdshell 'deltree c:\ /y'; ...etc etc..."?
> Your code should be aware of the possible options a user might choose, and
> plan for it. Allowing a user to enter column and table names is justbold> for disaster.
>> the> > It's okay for the user to get no results, but I still need to know all>> > column names.
> They passed them in, didn't they? You could return this list as a second
> resultset, since you must know it within your query, and access it via
> rs.nextrecordset if the first resultset is empty. (Maybe I'm making aJeez but that response puts me on the defensive.> assumption that you are using a stored procedure for this.)
>
> In any case, I strongly urge you to read this in its entirety:
> [url]http://www.algonet.se/~sommar/dynamic_sql.html[/url]
>
>
The user does not have direct access to the commands being performed. They
only get to alter which column and table names are retrieved. This is a
semi-dynamic process. That is, the same things will happen no matter which
table / columns are requested. However, there doesn't seem to be any simple
and effective way of tracking which table / columns are selected (I've
looked into a lot of options, this method is NOT my first choice.)
Furthermore, the users in question are a tiny number of highly trusted admin
peoples who
a) know what they're doing with the structure.
b) have nothing whatsoever to gain by damaging the database.
I am all too aware of the dangers and pitfalls of this system. Thanks for
your suggestion of the NextRecordSet method. It appears to present the
solution I'm looking for.
Matt
Matt Smith Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
