SQL Query in column

SQL Query in column

Old forum URL: forums.lhotka.net/forums/t/5022.aspx

jfreeman posted on Thursday, June 26, 2008

I have a scenario where I have a ReadOnlyList BO that returns 3 columns from a table.  One of the columns contains SQL for a Select.  After a user enters data into a field, the SQL in that column needs to be ran (it adds the user input to the Where clause) and results retrieved to a grid. 

Any ideas on how to accompish this?  I am using CSLA 3.5.  Thanks.

 

Jonathan

sergeyb replied on Thursday, June 26, 2008

I really do not know a good way to do this in CSLA.  If query for results grid is not set and is varying a lot, I do not think CSLA is good for this.  I would recommend using data table or dataset for results grid instead.  Beware of SQL injection because this solution is very prone to it.

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

cid:_2_0648EA840648E85C001BBCB886257279
Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

From: jfreeman [mailto:cslanet@lhotka.net]
Sent: Thursday, June 26, 2008 2:24 PM
To: Sergey Barskiy
Subject: [CSLA .NET] SQL Query in column

 

I have a scenario where I have a ReadOnlyList BO that returns 3 columns from a table.  One of the columns contains SQL for a Select.  After a user enters data into a field, the SQL in that column needs to be ran (it adds the user input to the Where clause) and results retrieved to a grid. 

Any ideas on how to accompish this?  I am using CSLA 3.5.  Thanks.

 

Jonathan



Q Johnson replied on Thursday, June 26, 2008

You'd be a lot happier (or someone would <g>) if you take the user's input and use it as a parameter value for a query.  Pasting user input into a where clause is exactly the scenario we all try to avoid because it leaves us wide open to SQL Injection attacks.
 
So for your SQL, just have SQL for a parameterized query, read it, and take the user's input for your
 
   cmd.Paratmers.Add(@parmName, "UserEnteredText")
 
statement.  Or, even easier, just save the SQL as a stored procedure and keep the sProc's name in that database column rather than the actual SQL.
 
Hope you find this helpful,
 
Q
 

From: jfreeman [mailto:cslanet@lhotka.net]
Sent: Thursday, June 26, 2008 1:26 PM
To: QJohnson@TeamNFP.com
Subject: [CSLA .NET] SQL Query in column

I have a scenario where I have a ReadOnlyList BO that returns 3 columns from a table.  One of the columns contains SQL for a Select.  After a user enters data into a field, the SQL in that column needs to be ran (it adds the user input to the Where clause) and results retrieved to a grid. 

Any ideas on how to accompish this?  I am using CSLA 3.5.  Thanks.

 

Jonathan




jfreeman replied on Thursday, June 26, 2008

Thanks for the replies.  The SQL commands look similar to this:

SELECT CustomerID, CompanyName, CustomerNo [Company Code] FROM Customer WHERE Customer.CustomerID = {Customer ID} ORDER BY Customer.CustomerID

All we do is take the user input and replace {CustomerID}.  So we're not just adding a Where clause.  Any other thoughts?  Thanks.

Jonathan

 

 

RockfordLhotka replied on Thursday, June 26, 2008

So your resulting list of columns is fixed? You always get back the same data?

You should be able to do this relatively easily by using a ReadOnlyBase object to retrieve the new values.

The process would be kind of like this:

  1. Fetch an Editable Root with the initial data
  2. When the user does whatever they do to trigger loading the other fields, your Editable Root can fetch a Read-only Root that contains the data (the criteria for the Read-only Root is the value supplied by the user)
  3. The Editable Root takes the values from the Read-only Root and puts them into its own fields. It then discards the Read-only Root (the UI never sees any of this btw)
  4. You may need to call OnUnknownPropertyChanged at this point to force data binding to refresh the UI with the new values
  5. The user then edits the object some more, possibly including these values
  6. The user clicks Save, and the Editable Root saves itself - also saving these field values if they are present

 

jfreeman replied on Thursday, June 26, 2008

Unfortunately, they are not fixed.  The SQL could also be something like this:

SELECT ProductID, ProductNo, ProductDescription, ProductType FROM Product WHERE ProductNo LIKE '{Product No}%' order by ProductNo

The SQL command is different based on other selections a user makes before the application retrieves the SQL portion.  Thanks.

Jonathan

 

RockfordLhotka replied on Thursday, June 26, 2008

What I’m saying is that your SELECT seems consistent (in your examples) – only the WHERE varies.

 

If the SELECT is consistent then this isn’t too hard (though the injection attack is a real problem).

 

If the SELECT varies (so the user gets to pick the columns to return) then an untyped DataTable is probably your easiest solution. Just get the data into the DataTable – the DataTable is a field of your object – and return your object to the client, then give the DataTable to the UI via a property.

 

Rocky

 

From: jfreeman [mailto:cslanet@lhotka.net]
Sent: Thursday, June 26, 2008 3:03 PM
To: rocky@lhotka.net
Subject: Re: [CSLA .NET] RE: SQL Query in column

 

Unfortunately, they are not fixed.  The SQL could also be something like this:

SELECT ProductID, ProductNo, ProductDescription, ProductType FROM Product WHERE ProductNo LIKE '{Product No}%' order by ProductNo

The SQL command is different based on other selections a user makes before the application retrieves the SQL portion.  Thanks.

Jonathan

 



jfreeman replied on Thursday, June 26, 2008

Could the CommandBase be used to pass the SQL into and return a DataTable? 

Jonathan

RockfordLhotka replied on Thursday, June 26, 2008

Yes, either that or a ReadOnlyBase object – either would work.

 

Rocky

 

From: jfreeman [mailto:cslanet@lhotka.net]
Sent: Thursday, June 26, 2008 4:44 PM
To: rocky@lhotka.net
Subject: Re: [CSLA .NET] RE: SQL Query in column

 

Could the CommandBase be used to pass the SQL into and return a DataTable? 

Jonathan



jfreeman replied on Friday, June 27, 2008

Can you explain how this might work in a ReadOnlyBase?  Sample code maybe?  Thanks.

Jonathan

ajj3085 replied on Friday, June 27, 2008

Well each search sounds like a different use case.. so you'd have a set of read only objects that are the result of one kind of query and another for the other kind of query.

RockfordLhotka replied on Monday, July 07, 2008

I could have the use of the tableadapter wrong - I don't use them more than once every couple years for some demo or other, but the basic structure of using ReadOnlyBase is like this:

[Serializable]
public class GetDataTable : ReadOnlyBsae<GetDataTable>
{
  private DataTable _table;

  public DataTable Table
  {
    get { return _table; }
  }

  public static GetDataTable GetObject()
  {
    return DataPortal.Fetch<GetDataTable>();
  }

  private GetDataTable()
  { /* require use of factory */ }

  private void DataPortal_Fetch()
  {
    _table = new DataTable();
    var da = new MyTableAdapter();
    da.Fill(_table);
  }
}

 

sergeyb replied on Friday, June 27, 2008

Yes, it can be.

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

cid:_2_0648EA840648E85C001BBCB886257279
Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

From: jfreeman [mailto:cslanet@lhotka.net]
Sent: Thursday, June 26, 2008 5:44 PM
To: Sergey Barskiy
Subject: Re: [CSLA .NET] RE: SQL Query in column

 

Could the CommandBase be used to pass the SQL into and return a DataTable? 

Jonathan



ajj3085 replied on Thursday, June 26, 2008

If your customer types 0; drop database master for you'll be in for a world of hurt.  Use command parameters.

Copyright (c) Marimer LLC