By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,815 Members | 1,143 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,815 IT Pros & Developers. It's quick & easy.

SQL contains clause validation problem

P: n/a
Hi,

I'm writing a visual basic application which searches a database of e-mail
messages, based on certain criteria. I'm using dynamic SQL and an exec
sp_executesql statement on the dynamic sql string. I'm using full text
indexing, and a contains clause to search certain columns, and I'm trying to
figure out the best way to validate the input passed from visual basic to my
sql query. SQL has certain "noise" words that are ignored, and generate
errors in my program. The requirement for the validation is...
1. search strings cannot start with (and, or, not)
2. single search terms must be surrounded by quotes, and cannot be a noise
word.
3. phrases(two or more words separated by spaces) must be surrounded by
quotes, and may contain noise words, but all words within the phrase must
not be noise words.
I found trying to write something to validate this is quite a headache, and
I was wondering if anyone had thoughts on an efficient way to do this. A
list of noise words can be found at:
http://beinecke.library.yale.edu/SQLIgnoredWords.html

The part of the dynamic sql search looks like this:
IF @SubjectSearch IS NOT NULL
select @sql = @sql + ' AND CONTAINS(M.Subject, @xSubjectSearch)'

Thanks in advance.
-Matt
Nov 20 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
I'm wondering why you need to filter out noise words when SQL Server
will do it for you? If you need to validate your input strings, use
regular expressions -- here's a link to the help topic:
ms-help://MS.VSCC.2003/MS.MSDNQTR.2004APR.1033/cpguide/html/cpconCOMRegularExpressions.htm

Also, be aware that using sp_executesql to execute dynamic SQL is a
good way to leave your database open to SQL injection attacks and is
not recommended. There's a lot of good info available if you google
"sql injection SQL Server".

--Mary

On Thu, 29 Jul 2004 11:13:02 -0400, "matt" <bl******@blahblah.com>
wrote:
Hi,

I'm writing a visual basic application which searches a database of e-mail
messages, based on certain criteria. I'm using dynamic SQL and an exec
sp_executesql statement on the dynamic sql string. I'm using full text
indexing, and a contains clause to search certain columns, and I'm trying to
figure out the best way to validate the input passed from visual basic to my
sql query. SQL has certain "noise" words that are ignored, and generate
errors in my program. The requirement for the validation is...
1. search strings cannot start with (and, or, not)
2. single search terms must be surrounded by quotes, and cannot be a noise
word.
3. phrases(two or more words separated by spaces) must be surrounded by
quotes, and may contain noise words, but all words within the phrase must
not be noise words.
I found trying to write something to validate this is quite a headache, and
I was wondering if anyone had thoughts on an efficient way to do this. A
list of noise words can be found at:
http://beinecke.library.yale.edu/SQLIgnoredWords.html

The part of the dynamic sql search looks like this:
IF @SubjectSearch IS NOT NULL
select @sql = @sql + ' AND CONTAINS(M.Subject, @xSubjectSearch)'

Thanks in advance.
-Matt


Nov 20 '05 #2

P: n/a
Mary,

We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.
-Matt
"Mary Chipman" <mc***@online.microsoft.com> wrote in message
news:a3********************************@4ax.com...
I'm wondering why you need to filter out noise words when SQL Server
will do it for you? If you need to validate your input strings, use
regular expressions -- here's a link to the help topic:
ms-help://MS.VSCC.2003/MS.MSDNQTR.2004APR.1033/cpguide/html/cpconCOMRegularE
xpressions.htm
Also, be aware that using sp_executesql to execute dynamic SQL is a
good way to leave your database open to SQL injection attacks and is
not recommended. There's a lot of good info available if you google
"sql injection SQL Server".

--Mary

On Thu, 29 Jul 2004 11:13:02 -0400, "matt" <bl******@blahblah.com>
wrote:
Hi,

I'm writing a visual basic application which searches a database of e-mailmessages, based on certain criteria. I'm using dynamic SQL and an exec
sp_executesql statement on the dynamic sql string. I'm using full text
indexing, and a contains clause to search certain columns, and I'm trying tofigure out the best way to validate the input passed from visual basic to mysql query. SQL has certain "noise" words that are ignored, and generate
errors in my program. The requirement for the validation is...
1. search strings cannot start with (and, or, not)
2. single search terms must be surrounded by quotes, and cannot be a noiseword.
3. phrases(two or more words separated by spaces) must be surrounded by
quotes, and may contain noise words, but all words within the phrase must
not be noise words.
I found trying to write something to validate this is quite a headache, andI was wondering if anyone had thoughts on an efficient way to do this. A
list of noise words can be found at:
http://beinecke.library.yale.edu/SQLIgnoredWords.html

The part of the dynamic sql search looks like this:
IF @SubjectSearch IS NOT NULL
select @sql = @sql + ' AND CONTAINS(M.Subject, @xSubjectSearch)'

Thanks in advance.
-Matt

Nov 20 '05 #3

P: n/a
>We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.


Just wanted to rule out the possibility that you didn't know what you
were doing in that regard :-)

--Mary
Nov 20 '05 #4

P: n/a
>We're aware of the risks of dynamic SQL, but unfortunately until SQL Server
2005, we will have to deal with this issue. To do this query statically,
would require (permutation of the varying amount of parameters) queries, in
conditional statements.


Just wanted to rule out the possibility that you didn't know what you
were doing in that regard :-)

--Mary
Nov 20 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.