Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
No question, Marx.
Message
From
28/04/2008 08:42:58
Mike Yearwood
Toronto, Ontario, Canada
 
 
To
27/04/2008 20:01:04
Dragan Nedeljkovich (Online)
Now officially retired
Zrenjanin, Serbia
General information
Forum:
Visual FoxPro
Category:
Client/server
Title:
Re: No question, Marx.
Environment versions
Visual FoxPro:
VFP 9 SP1
OS:
Windows XP SP1
Miscellaneous
Thread ID:
01313400
Message ID:
01313473
Views:
7
>
>h=sqlstringconnect("your connect string here")
>?sqlexec(h, "-- is this a proper comment?", "none")
>
>
>You get a nice "SQL parameter is missing." error for this.
>
>Why? Because there's a question mark in the SQL command being sent, and VFP parses it, looking for parameters. Well, the parser isn't too smart - if it was, it would be writing SQL for us, right? - so it finds a question mark followed by nothing that would serve as a variable name, a-ha! Error.
>
>Just in case someone else bangs into this particular corner of the wall, may they escape without this ugly bump on the forehead.

I think everyone should get in the habit of parameterizing things that get sent to SQL Server.
h=sqlstringconnect("your connect string here")
LOCAL lcVar
lcVar = "-- is this a proper comment?"
?sqlexec(h, ?m.lcVar, "none")
Works like a charm. I just saw an article where a VFP guy made SQL Injection Attackable code. It wouldn't have happened directly from the UI. It would have happened after the user hit save.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform