tags:

views:

112

answers:

3
Q: 

Run SQL statements from ASP.net application

I need to run sql statements from the application itself. i.e. the user can go into the asp.net applciation, gets a box and can run sql statements from there

I am already doing something like this http://stackoverflow.com/questions/1858329/can-i-rollback-dynamic-sql-in-mssql-tsql/1860334#1860334

That is running dynamic sql

is there a better way to do this

+2  A: 

DO NOT DO THIS. What if the user types in sp_msforeachtable 'truncate table ?'...?

Stu  2009-12-08 00:52:29
I know I SHOULDN'T, but I have to..there will be security restrictions put in place. I just need to know how to
soldieraman  2009-12-08 01:05:49
I agree, you SHOULD NOT do this. If your users are trusted well enough to where you'd even consider letting them submit raw SQL statements to your database and they have internet access... then just give them (secure) access to the server via SQL Management studio or a similar 3rd party tool. No reason to re-invent the wheel by developing your own SQL tools since there are a LOT of existing tools that aleady work great, but there are MANY reasons NOT to do this via a custom web interface.
Stephen M. Redd  2009-12-08 08:00:02
A: 

RunSQL.aspx utility might help. See Upload T-SQL and execute at your hosting provider using an ASP.NET page.

Pavel Chuchuva  2009-12-08 01:22:52
+2  A: 

Dynamic SQL is certainly the easiest way to do this. The alternative is parameterized SQL, but that would require having your users define and set parameters separately from the T-SQL.

You can simply submit the T-SQL string to SQL Server using the SqlCommand object; there's no real benefit to wrapping it in an EXEC or anything, as in the link you provided. You can do exception handling on the .NET side.

Also, if you want to support command batches, keep in mind that SqlClient and friends don't understand "GO", which also isn't an actual T-SQL command -- you will need to parse the input and break it into batches yourself.

I'm sure you understand that there is a big security risk in doing this, and that's it's generally not recommended. You might consider using a connection string that specifies a user with limited permissions, to help control / limit their access.

RickNZ  2009-12-08 02:03:25

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?