MSSQL LIKE and IN statements in ADO problem

Raja Raman Sundararajan ram0812 at
Thu Jan 19 10:02:26 CET 2006

Hello Steve, Roger and Pete,
    Nice to read your reply. Well, I can do an assert check for
integers and then filter out hazardous SQL injection characters for
varchars and do a direct substitution of the filtered values with the
SQL statement.

But by using ADO, input strings can be treated as what they are
intended to be by adding values to the CreateParameter statement whe we
do an Execute.
This way I thought I need not care about what kind of input I get from
the client, and I will be able to use them blindly to form a dynamic
Thus producing a more general solution for SQL injection prone areas.

Also, when it comes to filtering of hazardous characters, I think its
better to allow only those characters one needs than to filter out SQL
injection specific characters.
But the problem is we have all kinds of special characters stored in
our DB and filtering out characters will only result in wrong output.
So, I have to rule out this case.

With the DB API, yes I had a quick look at the code and the dynamic
formation of the SQL statement does not seem to have support for IN
I am not sure about the LIKE statement though. Maybe, they do support
it. So, I need to take a closer look at the file before

To the concerned:
>>> value = '%raj%'
>>> "select * from table_name where firstname LIKE '%s' " % value
works just fine, the result set contains all the first names that
contains 'raj'
How should we do this using createparameter in python?
There should be a wasy toa chieve this in ADO using python.
C# has a way to do this using ADO.Net.

Please keep providing inputs, in the mean time I will also do some
research on this problem and get back to you if I find a solution.

/Raja Raman

More information about the Python-list mailing list