>Thanks, Mike!
>
>In this particular example, even concatenating a simple SQL Select is risky if a hacker can mess with the lcCompany variable.
>
>If lcCompany is set to
JJ union (select * from mytable) then concatenating that into a SQL string will include all the records in mytable.
>
>IMHO the best response is to use Name expression as proposed by Sergey:
>
>
Select * from ("d:\demo\pro73b\sampledata\" + ALLTRIM(lcfile) + ALLTRIM(lcCompany))
>
>Not possible to inject that.
I hear you, but with all the near paranoia over SIA, I'm not ready to avoid using concatenation. Knowledge really is power. Knowledge of SIA let's us prevent it. For one thing, I could get around the injection possiblity like this:
USE ("d:\demo\pro73b\sampledata\" + ALLTRIM(m.lcfile) + ALLTRIM(m.lcCompany)) ALIAS tblCompany
TEXT TO m.lcSQL TEXTMERGE NOSHOW
select * ;
from tblCompany ;
into cursor crsCompanies
ENDTEXT
The query listed above is too simple. It will likely expand. The use of TEXT...ENDTEXT to assemble queries makes for a nicely maintainable consistent technique.
In that I also have a utility where the user can build parameterized ad-hoc where clauses (SQL Injection Attack free, I might add), I choose to build up SQL by concatenation while avoiding possible injections. That empowers my users and keeps things safe.
Thanks!