You can parameterize with SQL Execute using "SQL SET PARAMETER"
So any part that User enter should be using that.
You cannot parameterize and array.
I’m not aware that IN is parametrizable in MYSQL or MSSQL either (though I
suppose I could be wrong)
MYSQL/PHP for example only supports a int,doubles, strings and blobs
according to their documentation.
mysql does have FIND_IN_SET which does take a findval and a comma delimited
list, but that function is not in 4D to my knowledge.
An IN list would need to be built dynamically if you need to use it.
(but if it was you need to do you own injection checks)
use at your own risk
sample of PARAMETERIZED using only local variables
ARRAY TEXT($Test22;0)
C_Longint($a)
$a:=1
SQL LOGIN(SQL_INTERNAL;"";"")
SQL SET PARAMETER($a;SQL param in)
SQL EXECUTE("SELECT field_2 FROM table_1 WHERE id = ? ";$test22)
If (Not(SQL End selection)) // If at least one record is found
SQL LOAD RECORD(SQL all records) // Load all the records
end if
SQL LOGOUT
>
> Message: 7
> Date: Mon, 17 Apr 2017 15:47:27 +0000
> From: Justin Will <[email protected] <mailto:[email protected]>>
> To: 4D iNug Technical <[email protected] <mailto:[email protected]>>
> Cc: Aaron <[email protected] <mailto:[email protected]>>
> Subject: RE: 4D SQL Implementation
> Message-ID:
>
> <dm5pr15mb16413d7cd4bed3ff59490d93a7...@dm5pr15mb1641.namprd15.prod.outlook.com
>
> <mailto:dm5pr15mb16413d7cd4bed3ff59490d93a7...@dm5pr15mb1641.namprd15.prod.outlook.com>>
>
> Content-Type: text/plain; charset="utf-8"
>
> Aaron,
>
>> alternatively you can use SQL EXECUTE to still be able to use local
>> variables, and build your query dynamically
>
> Using strings built into queries is prone to sql injection if the query has
> any input from the users and is considered a deadly sin in most cases.
>
> Justin
>
>
> Date: Mon, 17 Apr 2017 16:01:26 +0000
> From: Timothy Penner <[email protected] <mailto:[email protected]>>
> To: 4D iNug Technical <[email protected] <mailto:[email protected]>>
> Subject: RE: 4D SQL Implementation
> Message-ID: <[email protected]
> <mailto:[email protected]>>
> Content-Type: text/plain; charset="utf-8"
>
>> Using strings built into queries is prone to sql injection if the query has
>> any input from the users and is considered a deadly sin in most cases.
>
> Here is a good example describing why you should never concatenate data into
> a SQL statement; you should always use parameterized queries instead.
> http://bobby-tables.com/ <http://bobby-tables.com/>
> http://bobby-tables.com/about <http://bobby-tables.com/about>
>
> -Tim
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ: http://lists.4d.com/faqnug.html
Archive: http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub: mailto:[email protected]
**********************************************************************
