Posted by Erland Sommarskog on 06/08/06 21:34

John (johnxhc@yahoo.com) writes:
> Well, when I say I allow client to specify the where clause, that is a
> just simple way to put it, actually I publish a list of client is
> allowed to do search, which is different name than the database field
> name, I have a table to map the field name the client is using to real
> database field name ( or XML Query)
> when I get the where clause I do the parsing and convert the client
> supplied name into real database name (or XML Query expression), since
> the parse is doing all the checks, I am not worry about the SQL
> injection
>
> You may ask why I am going through so much trouble, the reason it I am
> writing a framework that needs to be extendable, which means I design
> the basic infrastructure, other group could design application sitting
> on top of the framework. For example, they could design their own
> database, tables, as long as they following the general design, they
> could reuse everything I am doing.

Now, I understand lesser and lesser. If you are parsing the input, you
should be able to break up in the input so you could try the union thing.

Looks like a very good idea to do this in a CLR procedure, by the way.

--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

[Back to original message]