473,320 Members | 2,003 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

store T-SQL in database

I have a asp.net page that creates controls at runtime. I am also
wanting to create drop down lists at runtime that connect to a view in
sql server. I was thinking of storing either the view name of the sql
statement in a field, and using that to create the datasource for the
ddl at runtime. I was thinking I could store the connections strings
in variables since there would only be two or three. My main concern
is whether there is any security risks involved in storing sql
statments in a field, and accessing that using ado in my code. for
example:

function GetDataSource() as string
dim sql as string = "SELECT SQL_STATMENT FROM REPORT_TABLE WHERE
REPORT_ID=1"
GetDataSource=rst("SQL_STATMENT").value
end function

this would get a sql statment from the field and use it as follows:

sub BindDDL()
Dim ConnectionString As String = "server=;UID=;database=;PWD=;"
Dim CommandText As String = GetDataSource()
Dim myConnection As New SqlConnection(ConnectionString)
Dim myCommand As New SqlCommand(CommandText, myConnection)
ddl.DataTextField = "field1"
ddl.DataValueField = "field2"
myConnection.Open()
ddl.DataSource =
myCommand.ExecuteReader(CommandBehavior.CloseConne ction)
ddl.DataBind()
end sub

Again, my only concern is security.
Jul 21 '05 #1
1 1294
Yes, that's a security risk unless you store it encrypted. I highly
recommend against this approach Storing SQL Statements in a DB is fine, but
in general, the less that you expose (ie hide behind tightly permissioned
procs) the better.

Here's a great article on the subject...
http://msdn.microsoft.com/library/de...SecNetHT11.asp
"Stephen Witter" <sw*****@medamicus.com> wrote in message
news:18**************************@posting.google.c om...
I have a asp.net page that creates controls at runtime. I am also
wanting to create drop down lists at runtime that connect to a view in
sql server. I was thinking of storing either the view name of the sql
statement in a field, and using that to create the datasource for the
ddl at runtime. I was thinking I could store the connections strings
in variables since there would only be two or three. My main concern
is whether there is any security risks involved in storing sql
statments in a field, and accessing that using ado in my code. for
example:

function GetDataSource() as string
dim sql as string = "SELECT SQL_STATMENT FROM REPORT_TABLE WHERE
REPORT_ID=1"
GetDataSource=rst("SQL_STATMENT").value
end function

this would get a sql statment from the field and use it as follows:

sub BindDDL()
Dim ConnectionString As String = "server=;UID=;database=;PWD=;"
Dim CommandText As String = GetDataSource()
Dim myConnection As New SqlConnection(ConnectionString)
Dim myCommand As New SqlCommand(CommandText, myConnection)
ddl.DataTextField = "field1"
ddl.DataValueField = "field2"
myConnection.Open()
ddl.DataSource =
myCommand.ExecuteReader(CommandBehavior.CloseConne ction)
ddl.DataBind()
end sub

Again, my only concern is security.

Jul 21 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Daniel Albisser | last post by:
Hi @ll, I was wondering why I lose the connection to the mail store while retrieving information from it without calling the method store.close()! At the end I found out that the method...
2
by: forums_mp | last post by:
I've got an STL class (see below) with two functions to store and retrieve data - msg structs. The "Store" function when called will copy the received message (depending on which message) into...
12
by: Sanjay | last post by:
hi, We are currently porting our project from VB6 to VB .NET. Earlier we used to make scale transformations on objects like pictureBox , forms etc.Now Such transformations are made on the...
7
by: Jenny | last post by:
Hi, I have a class foo which will construct some objects in my code. some of the objects store int values into the data deque, while others store float values to the deque. template <class...
2
by: Peter Rilling | last post by:
How does Windows store passwords that it uses? For instance, when you install a service, you can provide it the username and password. This information is stored somehow so that at a later date...
0
by: Harley | last post by:
I am trying to write a personal app to keep a bank balance and history. The problem I'm haveing is finding a decent way to store the data on a pocketpc under .net compact framewok useing vb.net....
0
by: sajenia | last post by:
i need to design a solid data store device. the prime use of the data store is to store text messages, with each message being structured as a linked list. the logical concept of the store will be a...
11
by: mwebel | last post by:
Hi, i had this problem before (posted here and solved it then) now i have the same problem but more complicated and general... basically i want to store the adress of a istream in a char* among...
9
by: =?Utf-8?B?U3RldmVuIFRhbmc=?= | last post by:
I want to download pfx from my asp.net server, add the pfx to client's X509Store as a trusted publisher, Is it possible? my func in aspx is like this: void InstallCertification() { try{...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.