Change SQL Select into Parameterized

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Change SQL Select into Parameterized

Message

10/07/2015 17:08:43

Mike Yearwood
Toronto, Ontario, Canada

10/07/2015 15:05:15

Dmitry Litvak
Massachusetts, États-Unis

Information générale

Forum:

Visual FoxPro

Catégorie:

Autre

Titre:

Re: Change SQL Select into Parameterized

Versions des environnements

Visual FoxPro:

VFP 9 SP2

OS:

Windows Server 2012

Network:

Windows 2008 Server

Database:

MS SQL Server

Application:

Web

Divers

Thread ID:

01621947

Message ID:

01621960

Vues:

>>>>>How do you change the following SQL Select into parameterized?
>>>>>
>>>>>

>>>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField = '" + cFldValue + "'", "c_cursor")
>>>>>

>>>>>
>>>>>TIA.
>>>>

>>>>private cFldValue
>>>>
>>>>cFldValue = 'Test'
>>>>
>>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField =?cFldValue, "c_cursor")

>>>
>>>Where do you put the closing close quotation mark (")? After ?cFldValue ? or after =? For example, is following correct syntax?:
>>>
>>>

>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField =?cFldValue", "c_cursor")

>>>
>>
>>Yes.
>
>Thank you.

FYI - You can do virtually the same in VFP and by doing so across the board, you'd never have created SQL Injection Attack prone code like your original.

Répondre

Fil

Voir

Click here to load this message in the networking platform