On Saturday, February 05, 2011 12:46:01 pm Paul McNett wrote:
> Right! It is considered bad practice to put the parameters into the
> SQL string due to the possibility of SQL injection. Sometimes you have
> to, like with table names, unfortunately, but you work with what
> you've got.
>
> Also, by passing the paramters to the adapter, you are letting the
> adapter do the heavy lifting of formatting them correctly, resulting
> in simpler code on your end
OK I can accept that last without question. There are times when I see
formatting issues. But in general I have been able to deal with most of them
with very simple code.
As far as the inject issue explain the difference between
csql = "select * from table where pkid = %s" % self.varPK
UserSQL= csql
and
UserSQL = ""select * from table where pkid = ?" % self.varPK
or
biz.setWhereClause("fld = ?")
biz.setParams((fldval,))
Johnf
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/dabo-users
Searchable Archives: http://leafe.com/archives/search/dabo-users
This message:
http://leafe.com/archives/byMID/[email protected]
