home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.databases.ms-sqlserver      Notorious Rube Goldberg contraption      19,505 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 18,724 of 19,505   
   Gene Wirchenko to esquel@sommarskog.se   
   Re: Escape Characters in Strings   
   22 Aug 12 17:38:56   
   
   From: genew@ocis.net   
      
   On Wed, 22 Aug 2012 23:35:15 +0200, Erland Sommarskog   
    wrote:   
      
   >Gene Wirchenko (genew@ocis.net) writes:   
   >>      I will be building only statements that execute stored   
   >> procedures.  e.g.   
   >>            execute ExampleProc 'abc',1,2,3   
   >> or   
   >>            execute ExampleProc theString='abc',foo=1,bar=2,baz=3   
   >> Does that count?   
   >   
   >Yes, that counts, and you should not be doing it. Assuming that you are   
   >using C#, it should look like this:   
      
        Rats!  I would be using VBScript.  I hope the syntax is similar.   
      
   >  cmd.CommandType = CommandType.StoredProcedure;   
   >  cmd.CommandText = "dbo.ExampleProc";    // Always include schema!   
   >  cmd.Parameters.Add("@theString", SqlDBTypes.VarChar, 20);   
   >  cmd.Parameters["@theString"].Value = "abc";   
      
        There appear to be pieces missing.  Presumably, the other   
   parameters get similar treatment in their declared order, and   
   something must state to go.   
      
   >This results in an RPC call which is more efficient. And there is no risk   
   >for SQL Injection.   
      
        I will do some hunting for SQL Server and RPC and see what it   
   gets me.   
      
   Sincerely,   
      
   Gene Wirchenko   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca