Mike Yearwood
Toronto, Ontario, Canada
>Mike,
>
>You are deluding yourself if you think that ?x is less susceptible to SQL injection attacks.
You're welcome to show me how to injection sql into a parameterized query.
>
>It's a fairly high cost in the overhead of VFP communicating parameters to ODBC, compositing the SQL string yourself runs quite a bit faster.
>
>>I would never consider testing that. If MDOT ;) lnPercentage came directly from the user, that would be the dictionary definition of a SQL Injection Attack. Passing the value as a parameter excludes the injection attack.
>>
>>I thought passing the parameter in both cases validated the test by keeping the two processes more alike. Agreed?
Previous
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only