Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
SQL Server problem
Message
 
À
09/02/2007 18:56:43
Mike Yearwood
Toronto, Ontario, Canada
Information générale
Forum:
Visual FoxPro
Catégorie:
Base de données, Tables, Vues, Index et syntaxe SQL
Titre:
Re: SQL Server problem
Divers
Thread ID:
01194131
Message ID:
01194392
Vues:
18
>>>Not necessary, I understand your point. In this particular case lcPermID will always be a string made up of numeric characters, so it would probably work OK. However for the sake of proper form I will modify it per ?m.lcPermID, <>, or "'" + lcPermID + "'". Is one better than the others?
>>
>>Yes, using parameters VFP calls sp_executesql, that means yu use Dynamic SQL which sometimes can be slower. When you use
>>[']+variable+['] syntax the query is executed directly.
>
>Borislav
>
>When that variable comes from the UI or even from a table containing user provided data there is a risk of SQL Injection Attacks. That danger FAR outweighs any minor speed difference.

When you works with numerics or date types (as I do) no injection is possible :-)
Against Stupidity the Gods themselves Contend in Vain - Johann Christoph Friedrich von Schiller
The only thing normal about database guys is their tables.
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform