John,
Thank you very much for the explanation and a good illustration of the potential problem.
>Dmitry,
>
>Before you decide exactly how to do this, google
SQL Injection. Any time you use string concatenation to create SQL, you create an opportunity for hackers to cause mischief.
>
>Example:
>
>
lcsql="select * from mysqltable where mykey='"+m.lcparameter+"'"
>
>Looks as if this will pull just record/s that match the parameter, right?
>
>But if a hacker can set lcparameter to something like
dummy' or 'hello' = 'hello then here is what will execute:
>
>
select * from mysqltable where mykey='dummy' or 'hello' = 'hello'
>
>Not quite what you had in mind, right? ;-) Even worse if they can do this for updates!
>
>Where possible, embed ?parameters using questionmarks in your client-side SQL. Parameterized SQL is then created that resists injection because values are transmitted to SQL Server as separate variables that cannot execute. You can do this very easily using parameters in SPT or a Remote View (where it happens automatically if you use ? parameters) or you can write your own Stored Procedure to achieve the same.
"The creative process is nothing but a series of crises." Isaac Bashevis Singer
"My experience is that as soon as people are old enough to know better, they don't know anything at all." Oscar Wilde
"If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money that it values more, it will lose that too." W.Somerset Maugham
