Comments on: Creating a simple FrontEnd using Reporting Services and Merge http://www.sqlserver007.com/2009/12/07/creating-reporting-services-as-frontend-using-merge/ Blog on SQL SERVER and Business Intelligence by Vivekanand Serou Wed, 30 Jun 2010 19:16:45 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Vivek http://www.sqlserver007.com/2009/12/07/creating-reporting-services-as-frontend-using-merge/comment-page-1/#comment-2081 Vivek Mon, 21 Dec 2009 13:34:07 +0000 http://www.sqlserver007.com/?p=321#comment-2081 ya thanks ya thanks

]]> By: Cesare http://www.sqlserver007.com/2009/12/07/creating-reporting-services-as-frontend-using-merge/comment-page-1/#comment-2080 Cesare Mon, 21 Dec 2009 13:26:53 +0000 http://www.sqlserver007.com/?p=321#comment-2080 humm I think I know all these people that comment here ;-D Nice one mate! I like this approach as a quick soultion!!! Cesare humm I think I know all these people that comment here ;-D

Nice one mate!
I like this approach as a quick soultion!!!

Cesare

]]> By: Jez http://www.sqlserver007.com/2009/12/07/creating-reporting-services-as-frontend-using-merge/comment-page-1/#comment-1943 Jez Tue, 08 Dec 2009 09:43:50 +0000 http://www.sqlserver007.com/?p=321#comment-1943 Nice idea. Need to ensure that the user experience is still a pleasant one, but will surely be useful for small inputs. A function could be created to sanitise all user input data, for example WP has the following suite of functions for validating data before committing to the db: http://codex.wordpress.org/Data_Validation Nice idea. Need to ensure that the user experience is still a pleasant one, but will surely be useful for small inputs.

A function could be created to sanitise all user input data, for example WP has the following suite of functions for validating data before committing to the db: http://codex.wordpress.org/Data_Validation

]]> By: Marcus Ford http://www.sqlserver007.com/2009/12/07/creating-reporting-services-as-frontend-using-merge/comment-page-1/#comment-1938 Marcus Ford Tue, 08 Dec 2009 00:06:00 +0000 http://www.sqlserver007.com/?p=321#comment-1938 Very Interesting...I can hear all the sceptics shouting about SQL Injection right now. ..."So you have a user, and he knows this website that shows you how to do sql injection." Not to worry, this stored procedure is pretty good at parameterization, so the developer clearly took SQL Injection into account and protected his server from it. If he was careless and did something like set @sql = @sql + @someparameter Exec(@sql) And he was connecting to the database using an account that had sysadmin rights then there is margin for mayhem. Nice work, you didn't need to write any C# code here and it took less than 10 mins to put together and you can put your bosses fears to bed about SQLInjection. :) M. Very Interesting…I can hear all the sceptics shouting about SQL Injection right now.

…”So you have a user, and he knows this website that shows you how to do sql injection.”

Not to worry, this stored procedure is pretty good at parameterization, so the developer clearly took SQL Injection into account and protected his server from it.

If he was careless and did something like

set @sql = @sql + @someparameter
Exec(@sql)

And he was connecting to the database using an account that had sysadmin rights then there is margin for mayhem.

Nice work, you didn’t need to write any C# code here and it took less than 10 mins to put together and you can put your bosses fears to bed about SQLInjection.

:)

M.

]]>