MSSQL LIKE and IN statements in ADO problem

Raja Raman Sundararajan ram0812 at
Wed Jan 18 12:24:15 EST 2006

Yes, Steve you have a very good point.
Gregarcian, I am using the parameterized SQL to avoid such
for example in your example use
name = "%'WAITFOR DELAY '00:00:03'--%"
and directly substitute it to the statement
"select * from table_name where name like '%s' " % (name)
The server will have to wait for three seconds and will return all the
rows in the table,
which is unwanted.
I am trying to use parameterized statements to avoid these sort of SQL
injection problems
and have not managed yet to fix the LIKE and IN statement problems.

/Raja Raman

More information about the Python-list mailing list