Mike Yearwood
Toronto, Ontario, Canada
General information
Category:
Coding, syntax & commands
Environment versions
Network:
Windows 2008 Server
>>Hi Mark
>>
>>*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>>mproperty01 = ntr_desc
>>lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"
>>
>>Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.
>
>If you concenate a SQL string you just construct a string.
>SQL injection is when you manipulate a part of the string (in this: a parameter) so that it will run extra commands. You inject a command via abused parameter
>
>But in general you are right, it's better to do it your way.
This may be simply a matter of semantics, but if you're using parameters, it cannot be abused. In my interpretation, the programmer is injecting a value into a string during concatenation. It is this injection that is abused during a sql injection attack. :)
Previous
Next
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only