How to pass a variable to SQL statement.

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

How to pass a variable to SQL statement.

Message

01/02/2008 12:48:43

Naoto Kimura
Jantek Electronics, Inc.
Temple City, Californie, États-Unis

01/02/2008 01:30:29

Dragan Nedeljkovich (En ligne)
Now officially retired
Zrenjanin, Serbia

Information générale

Forum:

Visual FoxPro

Catégorie:

Problèmes

Titre:

Re: How to pass a variable to SQL statement.

Divers

Thread ID:

01287831

Message ID:

01288196

Vues:

and in addition to this... if you're especially paranoid, you may want to make a function to replace any embedded quotes with quote images (e.g. replace "'" with "''") and call it in the statement where you construct the SQL statement -- just in case (to avoid SQL injection problems).

THISFORM.combo2.ROWSOURCE=[select nombres from alumnos where nombres LIKE "] + STRTRAN(Nom,"'","''") + [" into cursor listnom]

Of course this might depend on if the query is interpreted by VFP directly or if it simply gets passed to the SQL backend. If it gets passed to the SQL backend, you could get a nasty suprise. Consider the possiblity of what would happen if:

Nom = "'; drop table alumnos;"

Répondre

Fil

Voir

Click here to load this message in the networking platform