Mike Yearwood
Toronto, Ontario, Canada
Versions des environnements
>Mike,
>
>You are deluding yourself if you think that ?x is less susceptible to SQL injection attacks.
You're welcome to show me how to injection sql into a parameterized query.
>
>It's a fairly high cost in the overhead of VFP communicating parameters to ODBC, compositing the SQL string yourself runs quite a bit faster.
>
>>I would never consider testing that. If MDOT ;) lnPercentage came directly from the user, that would be the dictionary definition of a SQL Injection Attack. Passing the value as a parameter excludes the injection attack.
>>
>>I thought passing the parameter in both cases validated the test by keeping the two processes more alike. Agreed?
Précédent
Répondre
Voir le fil de ce thread
Voir le fil de ce thread à partir de ce message seulement
Voir tous les messages de ce thread
Voir tous les messages de ce thread à partir de ce message seulement