Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
How to pass a variable to SQL statement.
Message
From
01/02/2008 12:48:43
Naoto Kimura
Jantek Electronics, Inc.
Temple City, California, United States
 
 
To
01/02/2008 01:30:29
Dragan Nedeljkovich (Online)
Now officially retired
Zrenjanin, Serbia
General information
Forum:
Visual FoxPro
Category:
Troubleshooting
Title:
Re: How to pass a variable to SQL statement.
Miscellaneous
Thread ID:
01287831
Message ID:
01288196
Views:
10
and in addition to this... if you're especially paranoid, you may want to make a function to replace any embedded quotes with quote images (e.g. replace "'" with "''") and call it in the statement where you construct the SQL statement -- just in case (to avoid SQL injection problems).

THISFORM.combo2.ROWSOURCE=[select nombres from alumnos where nombres LIKE "] + STRTRAN(Nom,"'","''") + [" into cursor listnom]

Of course this might depend on if the query is interpreted by VFP directly or if it simply gets passed to the SQL backend. If it gets passed to the SQL backend, you could get a nasty suprise. Consider the possiblity of what would happen if:

Nom = "'; drop table alumnos;"
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform