Op woensdag 12-12-2007 om 22:51 uur [tijdzone +1100], schreef John:
> ik wrote:
> > One small note, you have an SQL injection at your code. I recommend
> > you to use parameters as how to add the values, but prior to that, you
> > should check to see if there are invalid chars, and trim them. That
> > way, you can avoid a lot of problems.
> >
> > Ido
> >
> Perhaps you should explain what is so terrible about a "SQL injection"
> ? I have heard of this before, but not the reason. I do this regularly
> and it seems to work fine!
Suppose the query is like this: (from some mails earlier)
MainForm.SQLQuery1.SQL.Add('SELECT revID from rev WHERE
revName='+#39+CBProcessRev.Text+#39);
Oh, yes it works. Until...
A user types " '; drop table rev;" in CBProcessRev.
Well, that will still work. But only once. ;)
Joost
(btw: this won't work with all TSQLConnections, because some don't
accept a semicolon)
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
