Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Run SQL Statement from a string
Message
From
11/08/2006 16:09:37
Mike Yearwood
Toronto, Ontario, Canada
 
 
To
11/08/2006 15:52:50
John Ryan
Captain-Cooker Appreciation Society
Taumata Whakatangi ..., New Zealand
General information
Forum:
Visual FoxPro
Category:
Coding, syntax & commands
Title:
Re: Run SQL Statement from a string
Environment versions
Visual FoxPro:
VFP 9 SP1
OS:
Windows XP SP2
Network:
Windows 2003 Server
Database:
Visual FoxPro
Miscellaneous
Thread ID:
01144703
Message ID:
01144925
Views:
20
>Thanks, Mike!
>
>In this particular example, even concatenating a simple SQL Select is risky if a hacker can mess with the lcCompany variable.

Yes. *IF*

>If lcCompany is set to JJ union (select * from mytable) then concatenating that into a SQL string will include all the records in mytable.
>
>IMHO the best response is to use Name expression as proposed by Sergey:
>
>
Select * from ("d:\demo\pro73b\sampledata\" + ALLTRIM(lcfile) + ALLTRIM(lcCompany))
>
>Not possible to inject that.
Previous
Reply
Map
View

Click here to load this message in the networking platform