Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
No question, Marx.
Message
De
28/04/2008 08:42:58
Mike Yearwood
Toronto, Ontario, Canada
 
 
À
27/04/2008 20:01:04
Dragan Nedeljkovich
Now officially retired
Zrenjanin, Serbia
Information générale
Forum:
Visual FoxPro
Catégorie:
Client/serveur
Titre:
Re: No question, Marx.
Versions des environnements
Visual FoxPro:
VFP 9 SP1
OS:
Windows XP SP1
Divers
Thread ID:
01313400
Message ID:
01313473
Vues:
10
>
>h=sqlstringconnect("your connect string here")
>?sqlexec(h, "-- is this a proper comment?", "none")
>
>
>You get a nice "SQL parameter is missing." error for this.
>
>Why? Because there's a question mark in the SQL command being sent, and VFP parses it, looking for parameters. Well, the parser isn't too smart - if it was, it would be writing SQL for us, right? - so it finds a question mark followed by nothing that would serve as a variable name, a-ha! Error.
>
>Just in case someone else bangs into this particular corner of the wall, may they escape without this ugly bump on the forehead.

I think everyone should get in the habit of parameterizing things that get sent to SQL Server.
h=sqlstringconnect("your connect string here")
LOCAL lcVar
lcVar = "-- is this a proper comment?"
?sqlexec(h, ?m.lcVar, "none")
Works like a charm. I just saw an article where a VFP guy made SQL Injection Attackable code. It wouldn't have happened directly from the UI. It would have happened after the user hit save.
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform