SQL Insert fields with a ' in them

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

SQL Insert fields with a ' in them

Message

02/06/2015 10:27:45

Lutz Scheffler
Lutz Scheffler Software Ingenieurbüro
Dresden, Allemagne

02/06/2015 09:22:51

Mike Yearwood
Toronto, Ontario, Canada

Information générale

Forum:

Visual FoxPro

Catégorie:

Codage, syntaxe et commandes

Titre:

Re: SQL Insert fields with a ' in them

Versions des environnements

Visual FoxPro:

VFP 9 SP2

OS:

Windows Server 2012

Network:

Windows 2008 Server

Database:

MS SQL Server

Application:

Desktop

Divers

Thread ID:

01620334

Message ID:

01620495

Vues:

>Hi Mark
>
>*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>mproperty01 = ntr_desc
>lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"
>
>Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.

If you concenate a SQL string you just construct a string.
SQL injection is when you manipulate a part of the string (in this: a parameter) so that it will run extra commands. You inject a command via abused parameter

But in general you are right, it's better to do it your way.

Words are given to man to enable him to conceal his true feelings.
Charles Maurice de Talleyrand-Périgord

Weeks of programming can save you hours of planning.

Off
There is no place like [::1]

Répondre

Fil

Voir

Click here to load this message in the networking platform