Joost van der Sluis wrote:
Op woensdag 12-12-2007 om 22:51 uur [tijdzone +1100], schreef John:
ik wrote:
One small note, you have an SQL injection at your code. I recommend
you to use parameters as how to add the values, but prior to that, you
should check to see if there are invalid chars, and trim them. That
way, you can avoid a lot of problems.
Ido
Perhaps you should explain what is so terrible about a "SQL injection"
? I have heard of this before, but not the reason. I do this regularly
and it seems to work fine!
Suppose the query is like this: (from some mails earlier)
MainForm.SQLQuery1.SQL.Add('SELECT revID from rev WHERE
revName='+#39+CBProcessRev.Text+#39);
Oh, yes it works. Until...
A user types " '; drop table rev;" in CBProcessRev.
Well, that will still work. But only once. ;)
Joost
(btw: this won't work with all TSQLConnections, because some don't
accept a semicolon)
So the issue is accepting the text straight from the user input, not the
fact that the query text is constructed rather than using a parameter
? When I say I do it all the time, it is far more likely to be
something like 'select * from sometable where ref = ' +
IntToStr(AnIntegerValue), or some otherwise well-validated expression.
Don't get me wrong, I actually prefer to use parameters in such a
circumstance if I can get them to work, especially if the sql is
executed repeatedly with different criteria.
cheers,
John Sunderland
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
