Can you submit multiple commands in one SQL query in ASP? Something
like this:
"SELECT * FROM users; INSERT INTO users ('user','pass') VALUES
('test','test');"
When I try I keep getting the error 'Characters found after end of SQL
statement.'
Jagno wrote:
> Can you submit multiple commands in one SQL query in ASP? Something
> like this:
>
> "SELECT * FROM users; INSERT INTO users ('user','pass') VALUES
> ('test','test');"
>
> When I try I keep getting the error 'Characters found after end of SQL
> statement.'
It depends on the database.
Jet: No
SQL Server: yes
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Ah, that makes sense. So it seems that while Jet is lacking the
functionality, it's inadvertantly protected from some forms of SQL
injection attacks. Interesting. Thanks alot for your comments.
Bob Barrows [MVP] wrote:
> Jagno wrote:
> > Can you submit multiple commands in one SQL query in ASP? Something
> > like this:
> >
> > "SELECT * FROM users; INSERT INTO users ('user','pass') VALUES
> > ('test','test');"
> >
> > When I try I keep getting the error 'Characters found after end of SQL
> > statement.'
>
> It depends on the database.
> Jet: No
> SQL Server: yes
>
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
Some forms, but certainly not all. The best protection is to use
parameters instead of dynamic sql.
Jagno wrote:
> Ah, that makes sense. So it seems that while Jet is lacking the
> functionality, it's inadvertantly protected from some forms of SQL
> injection attacks. Interesting. Thanks alot for your comments.
>
> Bob Barrows [MVP] wrote:
>> Jagno wrote:
>>> Can you submit multiple commands in one SQL query in ASP? Something
>>> like this:
>>>
>>> "SELECT * FROM users; INSERT INTO users ('user','pass') VALUES
>>> ('test','test');"
>>>
>>> When I try I keep getting the error 'Characters found after end of
>>> SQL statement.'
>>
>> It depends on the database.
>> Jet: No
>> SQL Server: yes
>>
>>
>> --
>> Microsoft MVP -- ASP/ASP.NET
>> Please reply to the newsgroup. The email account listed in my From
>> header is my spam trap, so I don't check it very often. You will get
>> a quicker response by posting to the newsgroup.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
"Bob Barrows [MVP]"
news:%23zM0nRx5GHA.756@TK2MSFTNGP05.phx.gbl...
> Some forms, but certainly not all. The best protection is to use
> parameters instead of dynamic sql.
>
It can be a show stopper to scalling up a successful application to SQL
Server from Access when you realise the amount of re-work needed to make an
app secure from SQL Injection. Best option is to do it properly in the
first place rather than relying on the JET not all that compliant SQL
implementation.
> Jagno wrote:
> > Ah, that makes sense. So it seems that while Jet is lacking the
> > functionality, it's inadvertantly protected from some forms of SQL
> > injection attacks. Interesting. Thanks alot for your comments.
> >
> > Bob Barrows [MVP] wrote:
> >> Jagno wrote:
> >>> Can you submit multiple commands in one SQL query in ASP? Something
> >>> like this:
> >>>
> >>> "SELECT * FROM users; INSERT INTO users ('user','pass') VALUES
> >>> ('test','test');"
> >>>
> >>> When I try I keep getting the error 'Characters found after end of
> >>> SQL statement.'
> >>
> >> It depends on the database.
> >> Jet: No
> >> SQL Server: yes
> >>
> >>
> >> --
> >> Microsoft MVP -- ASP/ASP.NET
> >> Please reply to the newsgroup. The email account listed in my From
> >> header is my spam trap, so I don't check it very often. You will get
> >> a quicker response by posting to the newsgroup.
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>