473,395 Members | 2,796 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > visual basic .net > questions > sql contains clause validation problem

Join Bytes to post your question to a community of 473,395 software developers and data experts.

SQL contains clause validation problem

Hi,

I'm writing a visual basic application which searches a database of e-mail
messages, based on certain criteria. I'm using dynamic SQL and an exec
sp_executesql statement on the dynamic sql string. I'm using full text
indexing, and a contains clause to search certain columns, and I'm trying to
figure out the best way to validate the input passed from visual basic to my
sql query. SQL has certain "noise" words that are ignored, and generate
errors in my program. The requirement for the validation is...
1. search strings cannot start with (and, or, not)
2. single search terms must be surrounded by quotes, and cannot be a noise
word.
3. phrases(two or more words separated by spaces) must be surrounded by
quotes, and may contain noise words, but all words within the phrase must
not be noise words.
I found trying to write something to validate this is quite a headache, and
I was wondering if anyone had thoughts on an efficient way to do this. A
list of noise words can be found at:
http://beinecke.library.yale.edu/SQLIgnoredWords.html

The part of the dynamic sql search looks like this:
IF @SubjectSearch IS NOT NULL
select @sql = @sql + ' AND CONTAINS(M.Subject, @xSubjectSearch)'

Thanks in advance.
-Matt
Nov 20 '05 #1
4 1630
I'm wondering why you need to filter out noise words when SQL Server
will do it for you? If you need to validate your input strings, use
regular expressions -- here's a link to the help topic:
ms-help://MS.VSCC.2003/MS.MSDNQTR.2004APR.1033/cpguide/html/cpconCOMRegularExpressions.htm

Also, be aware that using sp_executesql to execute dynamic SQL is a
good way to leave your database open to SQL injection attacks and is
not recommended. There's a lot of good info available if you google
"sql injection SQL Server".

--Mary

On Thu, 29 Jul 2004 11:13:02 -0400, "matt" <bl******@blahblah.com>
wrote:
Hi,

I'm writing a visual basic application which searches a database of e-mail
messages, based on certain criteria. I'm using dynamic SQL and an exec
sp_executesql statement on the dynamic sql string. I'm using full text
indexing, and a contains clause to search certain columns, and I'm trying to
figure out the best way to validate the input passed from visual basic to my
sql query. SQL has certain "noise" words that are ignored, and generate
errors in my program. The requirement for the validation is...
1. search strings cannot start with (and, or, not)
2. single search terms must be surrounded by quotes, and cannot be a noise
word.
3. phrases(two or more words separated by spaces) must be surrounded by
quotes, and may contain noise words, but all words within the phrase must
not be noise words.
I found trying to write something to validate this is quite a headache, and
I was wondering if anyone had thoughts on an efficient way to do this. A
list of noise words can be found at:
http://beinecke.library.yale.edu/SQLIgnoredWords.html

The part of the dynamic sql search looks like this:
IF @SubjectSearch IS NOT NULL
select @sql = @sql + ' AND CONTAINS(M.Subject, @xSubjectSearch)'

Thanks in advance.
-Matt


Nov 20 '05 #2
Mary,

We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.
-Matt
"Mary Chipman" <mc***@online.microsoft.com> wrote in message
news:a3********************************@4ax.com...
I'm wondering why you need to filter out noise words when SQL Server
will do it for you? If you need to validate your input strings, use
regular expressions -- here's a link to the help topic:
ms-help://MS.VSCC.2003/MS.MSDNQTR.2004APR.1033/cpguide/html/cpconCOMRegularE
xpressions.htm
Also, be aware that using sp_executesql to execute dynamic SQL is a
good way to leave your database open to SQL injection attacks and is
not recommended. There's a lot of good info available if you google
"sql injection SQL Server".

--Mary

On Thu, 29 Jul 2004 11:13:02 -0400, "matt" <bl******@blahblah.com>
wrote:
Hi,

I'm writing a visual basic application which searches a database of e-mailmessages, based on certain criteria. I'm using dynamic SQL and an exec
sp_executesql statement on the dynamic sql string. I'm using full text
indexing, and a contains clause to search certain columns, and I'm trying tofigure out the best way to validate the input passed from visual basic to mysql query. SQL has certain "noise" words that are ignored, and generate
errors in my program. The requirement for the validation is...
1. search strings cannot start with (and, or, not)
2. single search terms must be surrounded by quotes, and cannot be a noiseword.
3. phrases(two or more words separated by spaces) must be surrounded by
quotes, and may contain noise words, but all words within the phrase must
not be noise words.
I found trying to write something to validate this is quite a headache, andI was wondering if anyone had thoughts on an efficient way to do this. A
list of noise words can be found at:
http://beinecke.library.yale.edu/SQLIgnoredWords.html

The part of the dynamic sql search looks like this:
IF @SubjectSearch IS NOT NULL
select @sql = @sql + ' AND CONTAINS(M.Subject, @xSubjectSearch)'

Thanks in advance.
-Matt

Nov 20 '05 #3
>We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.


Just wanted to rule out the possibility that you didn't know what you
were doing in that regard :-)

--Mary
Nov 20 '05 #4
>We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.


Just wanted to rule out the possibility that you didn't know what you
were doing in that regard :-)

--Mary
Nov 20 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
using contains clause
by: Rob Wahmann | last post by:
Hello - I'm using the following syntax: WHERE pages.ParentID=0 AND CONTAINS(pages.regionID,'#request.thisRegion#') ....and I get the folowing error: Execution of a full-text operation...
Microsoft SQL Server
22
With clause syntax errors but how do I fix it?
by: Phil Powell | last post by:
<script> <!-- function isValidAlert() { for (var i = 0; i < document.alertForm.length; i++) { with (document.alertForm.elements) { if (.name == "text" || .name == "password" || .name ==...
Javascript
3
2 validation groups problem
by: john morales | last post by:
Hi guys, I have a problem and i know there must be a solution for this as it is such a basic common practice in asp.net development. Scenario: i have many webforms in a site, most with two...
ASP.NET
9
Panel Validation
by: Bill Long | last post by:
I have a control that simply displays a list of links. Following one of the links doesn't post back or redirect to another page, it simply hides the current panel and shows the one you selected......
ASP.NET
2
Collection Class contains
by: Jon | last post by:
Hello all. I have a collection class that holds a number of clauses. One particular type of clause has a member variable called type - this is an enum. How do I check this collection class to...
C# / C Sharp
1
CONTAINS in SQL Server
by: djamilabouzid | last post by:
Hi, I have a question about MS SQL Server 2005: I have a table in the database that contains 70 fields. I must perform full-text search in about 60 fields. I use for that the full-text...
Microsoft SQL Server
9
Why is a simple WHERE clause so slow?
by: Emin | last post by:
Dear Experts, I have a fairly simple query in which adding a where clause slows things down by at least a factor of 100. The following is the slow version of the query ...
Microsoft SQL Server
3
CONTAINS clause with multi-word "AND" inflectional searching??? help...
by: garrettm | last post by:
What if you want to search using FTS with AND logic using the FORMSOF(inflectional,...) inside the CONTAINS() clause??? if my search phrase is "light hearted" I can easily do an OR search using...
Microsoft SQL Server
4
LINQ Question (Contains)
by: BeSharp | last post by:
I recently stumbled across a pretty interesting LINQ to SQL question and wonder, whether anybody might have an answer. (I'm doing quite some increasing LINQ evangelism down here in Germany.). ...
C# / C Sharp
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!