SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Member Manitcor's Avatar
    Join Date
    Jul 2004
    Location
    Twin Cities, MN
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy Stored Proc/WHERE Clause Issue in MSSQL2k

    Hey there everyone, hopefully someone can shed some light on this problem.

    Here is the stored procedure:
    Code:
    CREATE Procedure sp_getRequestorwCredentials
    @LoginID varchar(50)
    AS
     
    SELECT Users.Name as name, Users.Email as email, Users.Manager as manager, Users.Mgremail as mgremail, Users.Empid as empid, Users.Phone as phone, Users.Dept as dept, Users.Busunit as busunit, Users.Segment as segment, Users.EmpPosition as position, Users.Region as region, 
    Requests.RequestDate, Users.EmpPosition, Users.Reason as reason, Users.District as district, Users.NetId, Users.Status as status
    FROM Users INNER JOIN
    Requests ON Users.Empid = Requests.UserId
    WHERE (Users.NetId like RTRIM(@LoginID))
    ORDER BY Requests.RequestDate DESC
    return
    GO
    Now this query will work fine when using the like operator however if a user with a similar name to another user already in the table then the user may get the other persons record instead of thier own. Of course the solution here is to use the = operator instead of LIKE. This works fine when querying the DB directly however when executed within the stored proc no records are returned using the = operator even if they exact same query text works fine in a query window with a hardcoded var.

    Yes I know there are SQL injection issues but the LoginID is being grabbed from the users domain login DOMAIN\NAME and is grabbed from the authenciation module. Since Active Directory names have a limited char set and theres not a way to pass an invalid name with text that allows for an injection attack.
    They call it a web forum or a car club. I mostly call it a day care

    MyMonte.com
    Manitcor.com

  2. #2
    SitePoint Member Manitcor's Avatar
    Join Date
    Jul 2004
    Location
    Twin Cities, MN
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I discovered my problem, some old code I forgot to comment out was causing the problem by introducing wild card chars into my where clause.

    Thanks anyway.
    They call it a web forum or a car club. I mostly call it a day care

    MyMonte.com
    Manitcor.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •