Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Replace chr(13) + chr(10)
Message
De
31/03/2019 05:51:22
Naoto Kimura
Jantek Electronics, Inc.
Temple City, Californie, États-Unis
 
 
À
30/03/2019 17:11:45
Dmitry Litvak
Massachusetts, États-Unis
Information générale
Forum:
Visual FoxPro
Catégorie:
Codage, syntaxe et commandes
Titre:
Re: Replace chr(13) + chr(10)
Divers
Thread ID:
01667754
Message ID:
01667771
Vues:
44
Aside from the carriage return and linefeed, an apostrophe could similarly cause problems if you're concatenating strings to create SQL statement.

You could continue to concatenate strings by making sure to pass all values through a function that alters the data strings so that they contain proper "escapes" to allow for proper interpretation. Aside from having to write this function, you're still going to have to alter pretty much all the lines of code where you're concatenating the SQL command strings anyway. At that point it's probably easier to simply parameterize your SQL commands (at least with that you're not left with question if you've covered all the possible situations with that "escaping" function code).

as for the dangers of SQL injection:
https://xkcd.com/327/

>You are right. I will re-write my code to use the parametrized command. I am not concerned about SQL injection. But in this particular procedure it is necessary.
>
>>
>>I'm not sure you will be able to find a workaround.
>>
>>See Message #1026953.
>>
>>Also, as a good practice, parameterizing helps to protect against SQL injection. For upcoming development, you might want to establish a data class which does it all for you. I do not have any direct value assignation for a SQL command since years.
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform