>>
>>I use ODBC, not ADO. And I don't use - in this particular case - the parameterized SQL Select. The entire SQL Select expression is passed to a function and the variables are not in scope. And in this case I am not concerned about Injection since user can only select/specify the date. All other parts of the expression are in the VFP code (hard-coded).
>
>Then there is some ODBC driver that you use and supports VFP? Nice. Then:
>
>
>IF m.plSqlServer
> cLifeExpFilter = " AND (PURCHASED IS NOT NULL AND LIFE_EXP IS NOT NULL AND LIFE_EXP > 0 AND ( " +;
> " ?m.dPassDate >= DATEADD( year, LIFE_EXP, PURCHASED)) ) "
>ELSE
> *-- VFP DB
> cLifeExpFilter = " AND (!EMPTY(PURCHASED) AND LIFE_EXP > 0 AND ?m.dPassDate >= GOMONTH(PURCHASED,LIFE_EXP*12))"
>ENDIF
>
>* this needs to be in scope where SQLExec is executed only.
>* until that SQL is simply a string
>dPassDate = date()
>SQLExec(m.handle, ...)
>
>
>"And in this case I am not concerned about Injection since user can only select/specify the date."
>
>Unfortunately many programmers think parameters are only for 'SQL injection Attack'. They are not. They are also to pass the values correctly for the backend (driver knows how to pass a date value for example).
I have to correct myself. For SQL Server I use ODBC. But for VFP I connect directly to the data (I don't know how VFP does it under the hood).
As far as the danger of Injection Attack, I read and know about it. But this is a very big application and to change will take much time. Maybe I will do it but not a priority for me, at this point.
Thank you for your help and input!
"The creative process is nothing but a series of crises." Isaac Bashevis Singer
"My experience is that as soon as people are old enough to know better, they don't know anything at all." Oscar Wilde
"If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money that it values more, it will lose that too." W.Somerset Maugham
