Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Tablename as parameter ??
Message
De
31/03/2003 08:28:05
Michael Levy
Cincinnati, Ohio, États-Unis
 
 
À
30/03/2003 12:00:27
Albert Beermann
Piepenbrock Service Gmbh & Cokg
Osnabrück, Allemagne
Information générale
Forum:
Visual FoxPro
Catégorie:
Client/serveur
Titre:
Re: Tablename as parameter ??
Divers
Thread ID:
00771831
Message ID:
00771958
Vues:
13
Be very careful with this approach. You're taking data straight from the control to your dynamic SQL. This will leave you open to a SQL Injection attack.

http://www.sitepoint.com/article/794

-Mike

>Hello everybody
>I want to use a general function to validate a unique keyfield with an sql command.
>
>Mysql database via odbc !
>
>validate event in foxpro
>p_data = this.value
>p_table = mytable
>p_fieldname = mykeyfield
>
>l_ok = p_exists(p_table,p_fieldname,p_data)
>
>if l_ok > 0
> messagebox("Allready exits !")
> return 0
>endif
>
>*************************************************************
>function p_exits
>parameters p_table,p_fieldname,p_data
>
> = SQLEXEC(p_connection,'SELECT count(*) as present from ?p_tabelle where ?p_fieldname = ?p_data')
>
>return present
>endfunc
>**************************************************************************
>
>the ?p_data parameter works , but ?p_table and ?p_field seem not allowed ???
>What am i doing wrong ??
>Any possibility use pass tablename and fieldname as a parameter to an sqlcommand ??
>
>Best regards
>Albert
Michael Levy
MCSD, MCDBA
ma_levy@hotmail.com
Précédent
Répondre
Fil
Voir

Click here to load this message in the networking platform