Mike Yearwood said "If you always use parameterized SQL queries, the parameter contents can not be used for SIA."
Surely it depends how you build the parameter variables - if you let the user enter them what is to stop them entering e.g. a city name as "manchester go truncate table dbo.sysusers go" and "If someone were somehow able to access your database at all and run a query, they can just as easily run your SPs." I thought that was the point - you make the error checking in your sp rock solid so you don't care what tool is used to access it. btw some comments on this topic seem to imply that SQL Server supports parameterised queries: afaik Foxpro supports parameterised queries, including queries to a SQL Server back-end, but SQL Server itself only supports parameters to sp's - or have I missed something? Andrew Davies MBCS CITP - AndyD 8-)# ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. Please contact [EMAIL PROTECTED] with any queries. ********************************************************************** _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
