CRecordset parameterized queries

Hi, I have a project in which I use a CRecordSet derived class extensively, and I would like to start using parameterized queries to open these recordsets instead of using pure string concatenation to create the queries, in order to avoid SQL injection and also so that I can handle strings that include escape characters and so on correctly.

So, does CRecordset in any way support parameterized queries, possibly in CRecordset::Open()?

Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

DanRollinsConnect With a Mentor Commented:
I usually drop down to the lower-level SqlXxxxx API.  In the attached, I have a CDb object that's derived from CDatabase.
This CodeProject article includes sourcecode that extends CRecordset for easy parameterization.   The source code ought to answer your question.
    Parameterized CODBCRecordset Class 
But CRecordset supports this itself without much effort.  See:
   Recordset: Parameterizing a Recordset (ODBC)
Once you've set it up, It all takes place automatically  in  the DoFieldExchange function.

// Use to UPDATE etc with a single Big string parameter
//  szStmt looks like "UPDATE xxx set yyy=? where zzz=123"
ErrRet CDb::SqlSetBigStr( LPCSTR sStmt, CString& sParam )
	ErrRet eRet = NO_ERR;

    eRet= SqlPrepare( (LPCSTR)sStmt );
    eRet= SqlBindLongStrParam( (LPCSTR)sParam, sParam.GetLength()+1 );
    eRet= SqlExecute();
    eRet= SqlComplete();
	return ( eRet );

Open in new window

Are SQL injection attacks really a potential problem?  

They occur where the user hacks the query string, which is on plain display in the address bar, or otherwise obtained.  Are you using query strings?  
CFortiAuthor Commented:
They are not a problem right now, but they may become a problem in the future. Additionally, some of the strings I want to retrieve from the database have the ' character in them, which will cause problems unless I

a) escape it, which I don't like, or
b) use parameterization, where I was told I could use any string, including the ' character that usually delimits a SQL string.

Therefore, I would like to use parameterization if possible.
CFortiAuthor Commented:
Thanks, I will check if this is a viable solution when I get back from vacation.


All Courses

From novice to tech pro — start learning today.