I have a report that I'm converting from Crystal onto MS SQL 2005, using SSRS. The report requires the users to enter a series of values, which are the cataloge numbers for thingies that they wish to report out. This is currently set as a mutli-value parameter. The values that are entered have no set format, sometimes they are a string of letters, sometimes a string of numbers, sometimes a bunch of numbers, a dash, then another bunch of numbers.
Do of you know of some code that I can use to sanitise the input for SQL injection attacks as well as seperating the multiple values into discrete inputs?
Forgive me if this isn't completely clear - it is late and I am tired.
As long as you treat it as a parameter to a stored procedure and that stored procedure doesn't concatenate the value into s SQL string to execute, you should be protected from SQL injection. The trick is to agree on a separator character so you can use a function to split the string into a list that you can use in an IN clause. Here's a function that does that splitting:
answered Feb 09, 2010 at 05:09 AM