Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
SQL Server problem
Message
 
To
09/02/2007 18:56:43
Mike Yearwood
Toronto, Ontario, Canada
General information
Forum:
Visual FoxPro
Category:
Databases,Tables, Views, Indexing and SQL syntax
Title:
Re: SQL Server problem
Miscellaneous
Thread ID:
01194131
Message ID:
01194392
Views:
20
>>>Not necessary, I understand your point. In this particular case lcPermID will always be a string made up of numeric characters, so it would probably work OK. However for the sake of proper form I will modify it per ?m.lcPermID, <>, or "'" + lcPermID + "'". Is one better than the others?
>>
>>Yes, using parameters VFP calls sp_executesql, that means yu use Dynamic SQL which sometimes can be slower. When you use
>>[']+variable+['] syntax the query is executed directly.
>
>Borislav
>
>When that variable comes from the UI or even from a table containing user provided data there is a risk of SQL Injection Attacks. That danger FAR outweighs any minor speed difference.

When you works with numerics or date types (as I do) no injection is possible :-)
Against Stupidity the Gods themselves Contend in Vain - Johann Christoph Friedrich von Schiller
The only thing normal about database guys is their tables.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform