Run SQL Statement from a string

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Run SQL Statement from a string

Message

11/08/2006 16:09:37

Mike Yearwood
Toronto, Ontario, Canada

11/08/2006 15:52:50

John Ryan
Captain-Cooker Appreciation Society
Taumata Whakatangi ..., Nouvelle Zélande

Information générale

Forum:

Visual FoxPro

Catégorie:

Codage, syntaxe et commandes

Titre:

Re: Run SQL Statement from a string

Versions des environnements

Visual FoxPro:

VFP 9 SP1

OS:

Windows XP SP2

Network:

Windows 2003 Server

Database:

Visual FoxPro

Divers

Thread ID:

01144703

Message ID:

01144925

Vues:

>Thanks, Mike!
>
>In this particular example, even concatenating a simple SQL Select is risky if a hacker can mess with the lcCompany variable.

Yes. *IF*

>If lcCompany is set to JJ union (select * from mytable) then concatenating that into a SQL string will include all the records in mytable.
>
>IMHO the best response is to use Name expression as proposed by Sergey:
>
>

Select * from ("d:\demo\pro73b\sampledata\" + ALLTRIM(lcfile) + ALLTRIM(lcCompany))

>
>Not possible to inject that.

Répondre

Fil

Voir

Click here to load this message in the networking platform