Not true. If the variable is "delete from table" (it's too late here to compose a real dangerous variable, but you got the idea), passing it as literal string will delete the records, while passing it as ?varName will not. Try it.
On Mon, Feb 13, 2012 at 3:06 AM, Ken Dibble <[email protected]> wrote: > There is no magical "extra security" conferred by using ?somevariable as > opposed to just mySQLCommand = CommandText + somevariable. ?somevariable is > just a reference to the content of somevariable. If the type of > somevariable is a string, and you don't validate somevariable before it > becomes part of a SQL statement, you'll be in trouble either way. > --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CAH=CQDJiu=3-tpgancpjk8uunsb5djudam-0vpngghmxmt+...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
