Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Report with lots of user options
Message
 
To
28/10/2007 20:21:22
Randy Waldman
Hoffer Companies
Houston, Texas, United States
General information
Forum:
Visual FoxPro
Category:
Reports & Report designer
Title:
Re: Report with lots of user options
Environment versions
Visual FoxPro:
VFP 7 SP1
OS:
Windows XP SP2
Network:
Windows 2000 Server
Database:
Visual FoxPro
Miscellaneous
Thread ID:
01264661
Message ID:
01265088
Views:
8
>Hi. Doing a SQL where end-user has a choice of any number of options. Should I do a
>macro substitution. Is there a tutorial on this? Is there an easier way?

If you let the customer type in things to search for, make sure you allow for the possibility of a SQL injection attack.

Say you use something like the following code:
lcName = "Avery 4143"
SELECT * ;
	FROM HOME(1) + "labels" ;
	WHERE name = "&lcName."
All well and good, right? But what if the user adds a bit to the "label name"?
lcName = [Avery"+IIF(EXECSCRIPT('? "Hi there!"'), " ", " ") + "4143]
SELECT * ;
	FROM HOME(1) + "labels" ;
	WHERE name = "&lcName."
(My original code had MESSAGEBOX() in it, but that turned out to be too painful. :-) )
My blog
My consulting page
My home page

Member of the Trim Your Auto-Quote Campaign!
What's another word for thesaurus?
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform