Professional Web Applications Themes

pass sql statement to store procedure - Microsoft SQL / MS SQL Server

Hi All, Is that I can pass a SQL statement from ASP to Stored Procedure? If I can, how can I run that SQL statement in stored procedure? Thx~...

  1. #1

    Default pass sql statement to store procedure

    Hi All,

    Is that I can pass a SQL statement from ASP to Stored Procedure?

    If I can, how can I run that SQL statement in stored procedure?

    Thx~


    Vitamin Guest

  2. #2

    Default Re: pass sql statement to store procedure

    You can use dynamic SQL for this by having the SP accepting a string
    parameter and then in the strored procedure execute that string

    Create proc ExecMySQL (sql varchar(100))
    as
    begin
    Exec(sql)
    end

    ..If you are trying to pass just a SQL statement to a Stored Procedure it may
    lead to security problems.As any statements (like Delete ) can be passed to
    it.
    Please refer to the following wonderful article for more info.

    http://www.algonet.se/~sommar/dynamic_sql.html

    HTH,
    Srinivas Sampangi

    "Vitamin" <com> wrote in message
    news:u8dO#phx.gbl... 


    sampangi Guest

  3. #3

    Default Re: pass sql statement to store procedure

    > Is that I can pass a SQL statement from ASP to Stored Procedure?

    Sure, but why bother? You lose most, if not all, of the advantages of
    having a stored procedure in the first place... why not just execute the
    string you built in ASP, directly against the connection object. I see no
    need for a stored procedure to be involved...


    Aaron Guest

  4. #4

    Default Re: pass sql statement to store procedure

    On Wed, 13 Aug 2003 10:33:56 +0800, "Vitamin" <com> wrote:
     

    I won't repeat what others have said here, but add:

    1) regarding what Srinivas said about Delete, do a search on "SQL
    Insertion" and find out how passing SQL from an ASP can be harmful

    2) realise that any dynamic SQL string that you execute in a stored
    procedure will execute with the privileges of the caller, not the stored
    procedure, so there is no security advantage of doing this - as Aaron
    said, why not just execute the SQL string?

    cheers,
    Ross.
    --
    Ross McKay, WebAware Pty Ltd
    "Since when were you so generously inarticulate?" - Elvis Costello

    Ross Guest

  5. #5

    Default Re: pass sql statement to store procedure

    > So, I want just get a specific ranges record, say the user need to view
    page 

    www.aspfaq.com/2120


    Aaron Guest

Similar Threads

  1. Using XML to pass data to an Oracle Stored Procedure
    By CF_DAWG in forum Coldfusion Database Access
    Replies: 4
    Last Post: July 21st, 02:52 PM
  2. Pass a Date to stored procedure
    By Mike Lopez in forum ASP.NET Web Services
    Replies: 1
    Last Post: January 25th, 10:06 PM
  3. pass sql where statement into access report
    By James Campbell in forum ASP Database
    Replies: 0
    Last Post: August 21st, 01:17 PM
  4. pass a column ID as string to a stored procedure
    By Anton in forum Microsoft SQL / MS SQL Server
    Replies: 4
    Last Post: August 8th, 01:59 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139