Mike Yearwood
Toronto, Ontario, Canada
General information
Category:
Databases,Tables, Views, Indexing and SQL syntax
>>>>Not necessary, I understand your point. In this particular case lcPermID will always be a string made up of numeric characters, so it would probably work OK. However for the sake of proper form I will modify it per ?m.lcPermID, <>, or "'" + lcPermID + "'". Is one better than the others?
>>>
>>>Yes, using parameters VFP calls sp_executesql, that means yu use Dynamic SQL which sometimes can be slower. When you use
>>>[']+variable+['] syntax the query is executed directly.
>>
>>Borislav
>>
>>When that variable comes from the UI or even from a table containing user provided data there is a risk of SQL Injection Attacks. That danger FAR outweighs any minor speed difference.
>
>When you works with numerics or date types (as I do) no injection is possible :-)
True enough. However, please please consider that some (maybe new?) programmers will see no distinction between date and character values. They will believe it is ok to do for character what you do for dates. IMO the consistent and safer approach would be to parameterize ALL values regardless of type.
Previous
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only