Hello Rabbit, thanks for your input :) I need to change it so as to avoid SQL injection like you correctly mentioned, can you please tell me how to escape my inputs to avoid it? Or do you have a solution to avoid the risk in the first place?
By the way my inputs are actually results from a "SELECT" in my stored procedure from another table which is static. So can you make sure the data there are escaped in T-SQL?
...
nicolasclaudia
Last Activity: Jan 24 '13, 04:49 PM
Joined: Jan 23 '13
Location:
-
Formatting NVARCHAR with xp_sprintf and dynamic list of parameters
Hi all I need your help, how can you format a string with placeholders with the number of placeholders not known in advance (dynamic number of placeholders) ?
I need to do that in T-SQL
"xxxxx {0} yyyy {1} zzzz {2} "
with {} replaced by parameters.
I did the code:
...Code:DECLARE @PARAMETERS nvarchar(500) DECLARE @TEST nvarchar(500) DECLARE
No activity results to display
Leave a comment: