On 6/11/07, Dave Watts wrote: > > While I don't know enough to know, I've seen some oracle > > stored procs that pass an entire SQL query as a param... > > always kind of assumed that was NOT being safe... I'll keep > > thinking that, even if it's wrong, just cuz it bothers me, in > > general. =] > > No, that's not safe, and you can do the same thing with SQL Server using > EXECUTE/sp_executesql. Those commands take potentially unsafe strings and > execute them as code, which is exactly what you want to avoid.
Well, it's sorta the opposite of that feeling the old lady got when looking out her plane window to see Dent and his woman scrogging on the wing- that everything she had been told was wrong- but finding out some of what you thought you knew, you knew, can be good too. =] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280725 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
