Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Change SQL Select into Parameterized
Message
From
10/07/2015 17:08:43
Mike Yearwood
Toronto, Ontario, Canada
 
General information
Forum:
Visual FoxPro
Category:
Other
Title:
Re: Change SQL Select into Parameterized
Environment versions
Visual FoxPro:
VFP 9 SP2
OS:
Windows Server 2012
Network:
Windows 2008 Server
Database:
MS SQL Server
Application:
Web
Miscellaneous
Thread ID:
01621947
Message ID:
01621960
Views:
70
>>>>>How do you change the following SQL Select into parameterized?
>>>>>
>>>>>
>>>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField = '" + cFldValue + "'", "c_cursor")
>>>>>
>>>>>
>>>>>TIA.
>>>>
>>>>private cFldValue
>>>>
>>>>cFldValue = 'Test'
>>>>
>>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField =?cFldValue, "c_cursor")
>>>
>>>Where do you put the closing close quotation mark (")? After ?cFldValue ? or after =? For example, is following correct syntax?:
>>>
>>>
>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField =?cFldValue", "c_cursor")
>>>
>>
>>Yes.
>
>Thank you.

FYI - You can do virtually the same in VFP and by doing so across the board, you'd never have created SQL Injection Attack prone code like your original.
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform