Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
SQL Insert fields with a ' in them
Message
From
02/06/2015 10:27:45
Lutz Scheffler
Lutz Scheffler Software Ingenieurbüro
Dresden, Germany
 
 
To
02/06/2015 09:22:51
Mike Yearwood
Toronto, Ontario, Canada
General information
Forum:
Visual FoxPro
Category:
Coding, syntax & commands
Title:
Re: SQL Insert fields with a ' in them
Environment versions
Visual FoxPro:
VFP 9 SP2
OS:
Windows Server 2012
Network:
Windows 2008 Server
Database:
MS SQL Server
Application:
Desktop
Miscellaneous
Thread ID:
01620334
Message ID:
01620495
Views:
59
>Hi Mark
>
>*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>mproperty01 = ntr_desc
>lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"
>
>Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.

If you concenate a SQL string you just construct a string.
SQL injection is when you manipulate a part of the string (in this: a parameter) so that it will run extra commands. You inject a command via abused parameter

But in general you are right, it's better to do it your way.
Words are given to man to enable him to conceal his true feelings.
Charles Maurice de Talleyrand-Périgord

Weeks of programming can save you hours of planning.

Off
There is no place like [::1]
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform