I have a few more questions:
I can see how it may be possible to insert SQL into a number variable on a web form given the var isn't quoted. But are varchar2 type vars invulnerable simply because they are single quoted in the query? Or are there ways that even that would allow SQL insertion? It seems impossible to me but then I'm not an expert on SQL.
What about date type vars? They aren't quoted.
The MM docs mention
"Some databases, including Microsoft SQL Server and Sybase SQL Server, support the ability to send multiple SQL statements with each query."
How are they defining multiple SQL statements...they are referring to semi-colon separated sql statements right? They didn't mention Oracle in the list, so does anyone know if Oracle allows multiple statements? We're on 8i if that matters.
> > So is that adequate?
>
> yes. You are invulnerable to sql injection if you use it on all of
> your inputs. As in from-the-planet-Krypton invulnerable.
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
