I am sorry, you have no idea what you're talking about. I don't know how you're doing your tests, but in last 10 minutes I have created an example which can be downloaded from here:
www.class-software.eu/sqlparameters.zip Username: admin Password: adminpass The program will show how many records have been selected (1, the admin user) Then enter this: Username: admin' && Password: any random password The app will select the same record. Then comment top lines and uncomment the below ones, try the trick again and tell me if the user was logged in. On Wed, Feb 15, 2012 at 3:38 AM, Ken Dibble <[email protected]> wrote: > > >On Tue, Feb 14, 2012 at 1:56 AM, Ken Dibble <[email protected]> wrote: > > > You can't concatenate anything containing "&&" to a string in VFP. That > > > surprised me, frankly, but you can't. It won't work; you'll get > "Command > > > contains unrecognized phrase/keyword": > > > > > > myvar = "Select * From Users where username = '" && ok > > > myvar = myvar + "admin' &&" && Error! > > > myvar = myvar + "admin'" && ok > > > myvar = myvar + " &&" && Error! > > > myvar = "" && ok > > > myvar = myvar + "&&" && Error! > > > >Hi Ken, > > > >This is just a parsing restriction as VFP sees '&&' as the start of a > comment. > >In a running program this will work fine. > > I just did it in a running program and it did not work fine. It gave me > Error 36, "Command contains unrecognized phrase/keyword" Try it yourself > and see: > > *** Program doubleamp.prg *** > CLEAR > > LOCAL myvar > > ? [Line 1: ] + [myvar = "Select * From Users where username = '"] > > * Okay... > myvar = "Select * From Users where username = '" > > * Can't even do this one... Error 36. > ? [Line 2: ] + [myvar = myvar + "admin' &&"] > > * And this one fails too... > myvar = myvar + "admin' &&" > > ? [Line 3: ] + [myvar = myvar + "admin'"] > > * Okay... > myvar = myvar + "admin'" > > * Fail! > ? [Line 4: ] + [myvar = myvar + " &&"] > > * Ditto! > myvar = myvar + " &&" > > * Okay.... > ? [Line 5: ] + [myvar = ""] > > * Okay... > myvar = "" > > * Bang! Zoom! To the moon, Alice! > ? [Line 6: ] + [myvar = myvar + "&&"] > > * Alice is already gone... > myvar = myvar + "&&" > *** End program *** > > Ken Dibble > www.stic-cil.org > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CAH=cqdl2gl-xc-93c-q1svk2lsj8ddktd7_uqehcjugoerc...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
