Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
How to pass a variable to SQL statement.
Message
From
01/02/2008 16:57:32
Dragan Nedeljkovich (Online)
Now officially retired
Zrenjanin, Serbia
 
 
To
01/02/2008 12:48:43
Naoto Kimura
Jantek Electronics, Inc.
Temple City, California, United States
General information
Forum:
Visual FoxPro
Category:
Troubleshooting
Title:
Re: How to pass a variable to SQL statement.
Miscellaneous
Thread ID:
01287831
Message ID:
01288355
Views:
13
>and in addition to this... if you're especially paranoid, you may want to make a function to replace any embedded quotes with quote images (e.g. replace "'" with "''") and call it in the statement where you construct the SQL statement -- just in case (to avoid SQL injection problems).
>
>THISFORM.combo2.ROWSOURCE=[select nombres from alumnos where nombres LIKE "] + STRTRAN(Nom,"'","''") + [" into cursor listnom]

>Of course this might depend on if the query is interpreted by VFP directly or if it simply gets passed to the SQL backend. If it gets passed to the SQL backend, you could get a nasty suprise. Consider the possiblity of what would happen if:
>
>Nom = "'; drop table alumnos;"

Two famous quotes from Henry Kissinger:

"I may be paranoid, but they're still out to get me"

"It's not whether I'm paranoid or not, it's whether I'm paranoid enough"

I think we can neglect the danger of SQL injection when we have thisform.someCtl.value. And even if it's something we know the source of, we could pass it to the backend as a parameter, or do some .SanitizeString() procedure on it. There are techniques, of course.
back to same old
the first online autobiography, unfinished by design
What, me reckless? I'm full of recks!
Balkans, eh? Count them.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform