Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
How to pass a variable to SQL statement.
Message
From
03/02/2008 13:51:54
Mike Yearwood
Toronto, Ontario, Canada
 
 
To
03/02/2008 11:33:42
Bernard Bout
Zest
Brisbane, Australia
General information
Forum:
Visual FoxPro
Category:
Troubleshooting
Title:
Re: How to pass a variable to SQL statement.
Miscellaneous
Thread ID:
01287831
Message ID:
01288800
Views:
13
>>>>>>Hello all. Another noob question.
>>>>>>I have 2 fields. One is a text box, the other a combo box.
>>>>>>The LOST FOCUS property of the text box assigns its value to a xVariable
>>>>>>Then it populates (or tries to)the combo box with:
>>>>>>thisform.combo1.rowsource="select names from table1 where names LIKE xVariable into cursor Z"
>>>>>>In other words, I want that if xVariable is "GA", the combo box is populated with all the names that start with GA.
>>>>>>I have tried several posibilities with no success. What am I missing?
>>>>>>
>>>>>>TIA
>>>>>how about:
>>>>>
>>>>>thisform.combo1.rowsource="select names from table1 where names LIKE " + xVariable + " into cursor Z"
>>>>>
>>>>>However this will not work unless xVariable is public. Better to make it a Form Property:
>>>>>
>>>>>
>>>>>thisform.combo1.rowsource="select names from table1 where names LIKE "+ ThisForm.xVariable + " into cursor Z"
>>>>
>>>>Umm. Hello? Does anyone worry about SQL Injection Attacks anymore?
>>>
>>>I don't know.Do they?
>>>
>>>Anyway this is not the approach I would take if I were to write the application. I just never use a select statement as a rowsource. This is just a suggestion for something to try, as the post indicated.
>>>
>>>Besides it depends on what you are planning to prevent injection into. In a normal ADD/EDIT form with multiple fields I doubt anyone developer would place any SQL Injection prevention code in every field anyway. Especially if there are many fields on the form, into anyone of which code could be injected anyway.
>>
>>Frankly there is a huge misconception about SQL injection. Doing stuff to each field to suppress entry of SQL does not stop sql injection. NOT injection field contents into an SQL command stops sql injection. If any field value is to be included in an SQL command, parameterize it. Simple solution.
>
>Not simple at all. If I have a simple data entry form that allows edits and that form has say 20 fields bound to text boxes, and the user can edit and then save, imagine writing an update statement parametizing all those fields that have changed. Besides in the case you mention, you would not be able to bind the fields, no Views or Cursor Adapters. You would have to develop a class that would build your Update statement.
>
>I can understand doing this on a web site, but I have never heard this about applications. I have developed many Web Services and have always parametised my SQL statements but never for in house applications. That is going overboard IMHO. No thank you.

That's your opinion. Which IMO amounts to saying I don't need a spark plug, I'll just stick two wires in a gas can.

I use data classes to get data for all objects on the form. Since I'm doing everything the same way, there's less work for me to do so it's far from overkill. What is done instead of that is what I see as underkill.
Previous
Reply
Map
View

Click here to load this message in the networking platform