Mike Yearwood
Toronto, Ontario, Canada
Information générale
Catégorie:
Codage, syntaxe et commandes
Versions des environnements
Network:
Windows 2008 Server
>>Hi Mark
>>
>>*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>>mproperty01 = ntr_desc
>>lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"
>>
>>Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.
>
>If you concenate a SQL string you just construct a string.
>SQL injection is when you manipulate a part of the string (in this: a parameter) so that it will run extra commands. You inject a command via abused parameter
>
>But in general you are right, it's better to do it your way.
This may be simply a matter of semantics, but if you're using parameters, it cannot be abused. In my interpretation, the programmer is injecting a value into a string during concatenation. It is this injection that is abused during a sql injection attack. :)
Précédent
Suivant
Répondre
Voir le fil de ce thread
Voir le fil de ce thread à partir de ce message seulement
Voir tous les messages de ce thread
Voir tous les messages de ce thread à partir de ce message seulement