2

From my web app I want to give the user the full power of CONTAINS in a full text search however it's very easy for a user to enter an invalid string such as a phrase that's not in quotes.

I could laboriously parse the input and work out whether it's valid or I could handle the syntax error that comes back from SQL.

But are these the only two options? Is there anything I can use to validate the input?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Chris Simpson
  • 7,821
  • 10
  • 48
  • 68
  • not sure if MsSql supports it, but can't you use prepared statements? – Daan Timmer Jan 17 '11 at 23:22
  • @Daan I believe they are the equivalent of parameterized queries which I am already using. – Chris Simpson Jan 17 '11 at 23:25
  • Well, if they indeed are the same, then there is no problem submitting user-input directly in to the database using a prepared/parameterized statement. Just be 100% sure that the SQL is first parsed and only then that your data/input is supplied. – Daan Timmer Jan 17 '11 at 23:43
  • My question was more to do with the blind creation of errors as opposed to validating the input first. Trying to avoid SQL insertion by using parameterized queries/prepared statements is a different matter I believe. – Chris Simpson Jan 17 '11 at 23:47
  • +1 Chris, did you ever resolve this? If so, how? – Tom Chantler Feb 02 '12 at 17:37
  • 1
    Hi @Dommer, I'm afraid not. I resorted to a small amount of pre-parsing to capture the most common issues and left the rest to SQL. I've since moved on to other projects. Good luck with whatever you're on. – Chris Simpson Feb 02 '12 at 23:43
  • possible duplicate of [Converting user-entered search query to where clause for use in SQL Server full-text search](http://stackoverflow.com/questions/506034/converting-user-entered-search-query-to-where-clause-for-use-in-sql-server-full) – Oran D. Lord Aug 14 '14 at 18:21

0 Answers0