CRecordset parameterized queries

Hi, I have a project in which I use a CRecordSet derived class extensively, and I would like to start using parameterized queries to open these recordsets instead of using pure string concatenation to create the queries, in order to avoid SQL injection and also so that I can handle strings that include escape characters and so on correctly.

So, does CRecordset in any way support parameterized queries, possibly in CRecordset::Open()?

Thanks!
CFortiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mrwad99Commented:
Are SQL injection attacks really a potential problem?  

They occur where the user hacks the query string, which is on plain display in the address bar, or otherwise obtained.  Are you using query strings?  
0
CFortiAuthor Commented:
They are not a problem right now, but they may become a problem in the future. Additionally, some of the strings I want to retrieve from the database have the ' character in them, which will cause problems unless I

a) escape it, which I don't like, or
b) use parameterization, where I was told I could use any string, including the ' character that usually delimits a SQL string.

Therefore, I would like to use parameterization if possible.
0
DanRollinsCommented:
I usually drop down to the lower-level SqlXxxxx API.  In the attached, I have a CDb object that's derived from CDatabase.
This CodeProject article includes sourcecode that extends CRecordset for easy parameterization.   The source code ought to answer your question.
    Parameterized CODBCRecordset Class
    http://www.codeproject.com/KB/database/parameterodbc.aspx 
But CRecordset supports this itself without much effort.  See:
   Recordset: Parameterizing a Recordset (ODBC)
  http://msdn.microsoft.com/en-us/library/ax3w1w3z(VS.80).aspx
Once you've set it up, It all takes place automatically  in  the DoFieldExchange function.

//----------------------------------------------------------------------
// Use to UPDATE etc with a single Big string parameter
//  szStmt looks like "UPDATE xxx set yyy=? where zzz=123"
ErrRet CDb::SqlSetBigStr( LPCSTR sStmt, CString& sParam )
{
	ErrRet eRet = NO_ERR;

    eRet= SqlPrepare( (LPCSTR)sStmt );
    eRet= SqlBindLongStrParam( (LPCSTR)sParam, sParam.GetLength()+1 );
    eRet= SqlExecute();
    eRet= SqlComplete();
	return ( eRet );
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CFortiAuthor Commented:
Thanks, I will check if this is a viable solution when I get back from vacation.

Cheers,

CForti
0
DanRollinsCommented:
well?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Editors IDEs

From novice to tech pro — start learning today.