Ken, Your code is proving that macrosubstitution cannot execute multiple lines of code. As long as you execute commands on VFP data AND the literal value does not implies multiple lines that's ok. As soon as any of the above conditions is not met something bad will happen if you use macrobustitution, and nothing will happen if you use select parameters. You have two EXECSCRIPT lines in your code. First one is using concatenation and fails badly, while second is using sql parameters and works fine.
Here's another piece of code: "Select * From Users where username = '" + varUsername + "' And password = '" + varPassword + "'" Let's suppose the user enters [admin' &&] as username (drop the brackets, I've put them just to isolate the string in this text). If string concatenation is used, the user will be logged as admin with no password at all (or any random password), while using sql parameters the select will bring zero records. My point is that using sql parameters it's not depending on "how it's done" and also, ?myVar is not just a pointer to myvar. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ken Dibble Sent: Monday, February 13, 2012 4:43 AM To: [email protected] Subject: Re: [NF] Very strong set of issues in Are You a Bad Programmer. > > > There is no magical "extra security" conferred by using > > ?somevariable as opposed to just mySQLCommand = CommandText + > > somevariable. ?somevariable is just a reference to the content of > > somevariable. If the type of somevariable is a string, and you don't > > validate somevariable before it becomes part of a SQL statement, you'll be in trouble either way. > > Not true. If the variable is "delete from table" (it's too late here to compose a real dangerous variable, but you got the idea), passing it as literal string will delete the records, while passing it as ?varName will not. Try it. Depends on how it's done. Consider the following code: CLOSE TABLES ALL CLOSE DATABASES ALL ERASE foo.* ERASE bar.* ERASE foobar.* CLEAR CREATE TABLE Foo (Somefield C(10), Someint I) INSERT INTO Foo (Somefield,Someint) ; VALUES ("Y",1) USE IN Foo CREATE TABLE Bar(Anyfield C(10), Anyint I) USE IN Bar CREATE DATABASE Foobar OPEN DATABASE Foobar SET DATABASE TO Foobar ADD TABLE foo ADD TABLE bar testvar = "'Y'" + CHR(10) + CHR(13) + "DROP TABLE BAR" mysql = "SELECT * FROM Foo WHERE Somefield = " + testvar ? "About to execute concatenated string: " + mysql * EXECSCRIPT(mysql) && Drops bar &mysql && No problem IF FILE("Bar.dbf") USE bar BROWSE ELSE ? "Bar is gone." ENDIF IF NOT FILE("Bar.dbf") CREATE TABLE Bar(Anyfield C(10), Anyint I) USE IN Bar ADD TABLE bar && Huh? If bar was dropped, we get an error stating that the table is part of the database ENDIF mysql = "SELECT * FROM Foo WHERE Somefield = ?testvar" ? "About to execute parameterized query: " + mysql *SELECT * FROM Foo WHERE Somefield = ?testvar && No problem EXECSCRIPT(mysql) && No problem IF NOT USED("bar") USE bar IN 0 ELSE SELECT Bar ENDIF BROWSE MODIFY DATABASE [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
