Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Tablename as parameter ??
Message
From
31/03/2003 08:28:05
Michael Levy
Cincinnati, Ohio, United States
 
 
To
30/03/2003 12:00:27
Albert Beermann
Piepenbrock Service Gmbh & Cokg
Osnabrück, Germany
General information
Forum:
Visual FoxPro
Category:
Client/server
Title:
Re: Tablename as parameter ??
Miscellaneous
Thread ID:
00771831
Message ID:
00771958
Views:
14
Be very careful with this approach. You're taking data straight from the control to your dynamic SQL. This will leave you open to a SQL Injection attack.

http://www.sitepoint.com/article/794

-Mike

>Hello everybody
>I want to use a general function to validate a unique keyfield with an sql command.
>
>Mysql database via odbc !
>
>validate event in foxpro
>p_data = this.value
>p_table = mytable
>p_fieldname = mykeyfield
>
>l_ok = p_exists(p_table,p_fieldname,p_data)
>
>if l_ok > 0
> messagebox("Allready exits !")
> return 0
>endif
>
>*************************************************************
>function p_exits
>parameters p_table,p_fieldname,p_data
>
> = SQLEXEC(p_connection,'SELECT count(*) as present from ?p_tabelle where ?p_fieldname = ?p_data')
>
>return present
>endfunc
>**************************************************************************
>
>the ?p_data parameter works , but ?p_table and ?p_field seem not allowed ???
>What am i doing wrong ??
>Any possibility use pass tablename and fieldname as a parameter to an sqlcommand ??
>
>Best regards
>Albert
Michael Levy
MCSD, MCDBA
ma_levy@hotmail.com
Previous
Reply
Map
View

Click here to load this message in the networking platform