On Sat, Feb 11, 2012 at 8:55 PM, Ken Dibble <[email protected]> wrote:
> Thus a cite from authority that there is nothing wrong with creating > queries by string concatenation as long as you validate the input first. Well, I suspect this "authority" hasn't worked in languages that have as elegant a support for placeholder substitutions as FoxPro. I'm not sure how much automatic sanitizing (SQL Escapes) are built into the ODBC side that. Handling all of the proper escape issues can be tricky, especially if you might be dealing with complex, binary or foreign language data. (I worked on an (non-VFP) app a few years ago that was simultaneously released in English, French, Spanish, Italian, German, Japanese and two dialects of Chinese. You couldn't really inspect the data all that well manually and had to depend on functionality built into the language and the data engine. ) You certainly don't want to run into a "Bobby Drop Tables" http://xkcd.com/327/ -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cacw6n4srudba3-gepygwg6bsosmyh-k1w0chwyms0ik4_ja...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
