> When using MS-SQLServer, it is mandatory to escape or replace the '
> character (aposthrophe) to avoid sql injection attacks in web
> applications.
>
> What are the "dangerous" characters -if any- for SAPDB 7.4
> and MAXDB 7.5?
It is really better to use prepared statements.
- no special handling of quotes
- allows to insert newlines etc. into CHAR columns
- no restrictions when using Blobs/LONGs
- much better performance if the same statement can be used several times
- better performance with shared SQL (7.5)
If it is necessary to create a SQL statement with all the values,
then single quotes have to be doubled to quote them,
e.g. INSERT INTO testtable values ('That''s all')
Daniel Dittmar
--
Daniel Dittmar
SAP Labs Berlin
[EMAIL PROTECTED]
> -----Original Message-----
> From: Martin Cordova S. [mailto:[EMAIL PROTECTED]
> Sent: Friday, December 05, 2003 5:00 PM
> To: [EMAIL PROTECTED]
> Subject: SQL Injection risks...
>
>
> When using MS-SQLServer, it is mandatory to escape or replace the '
> character (aposthrophe) to avoid sql injection attacks in web
> applications.
>
> What are the "dangerous" characters -if any- for SAPDB 7.4
> and MAXDB 7.5?
>
> Regards,
> Martin
>
>
> --
> MaxDB Discussion Mailing List
> For list archives: http://lists.mysql.com/maxdb
> To unsubscribe:
http://lists.mysql.com/[EMAIL PROTECTED]
--
MaxDB Discussion Mailing List
For list archives: http://lists.mysql.com/maxdb
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
