Mike Yearwood
Toronto, Ontario, Canada
Information générale
Catégorie:
Base de données, Tables, Vues, Index et syntaxe SQL
>>>>Not necessary, I understand your point. In this particular case lcPermID will always be a string made up of numeric characters, so it would probably work OK. However for the sake of proper form I will modify it per ?m.lcPermID, <>, or "'" + lcPermID + "'". Is one better than the others?
>>>
>>>Yes, using parameters VFP calls sp_executesql, that means yu use Dynamic SQL which sometimes can be slower. When you use
>>>[']+variable+['] syntax the query is executed directly.
>>
>>Borislav
>>
>>When that variable comes from the UI or even from a table containing user provided data there is a risk of SQL Injection Attacks. That danger FAR outweighs any minor speed difference.
>
>When you works with numerics or date types (as I do) no injection is possible :-)
True enough. However, please please consider that some (maybe new?) programmers will see no distinction between date and character values. They will believe it is ok to do for character what you do for dates. IMO the consistent and safer approach would be to parameterize ALL values regardless of type.
Précédent
Répondre
Voir le fil de ce thread
Voir le fil de ce thread à partir de ce message seulement
Voir tous les messages de ce thread
Voir tous les messages de ce thread à partir de ce message seulement