>I am sorry, you have no idea what you're talking about. I don't know how >you're doing your tests, but in last 10 minutes I have created an example >which can be downloaded from here: > >www.class-software.eu/sqlparameters.zip > >Username: admin >Password: adminpass > >The program will show how many records have been selected (1, the admin >user) > >Then enter this: > >Username: admin' && >Password: any random password > >The app will select the same record. > >Then comment top lines and uncomment the below ones, try the trick again >and tell me if the user was logged in.
You are correct. You can enter stuff into a textbox in VFP that cannot be inserted into a variable in code. As it turns out, my app's login code actually defends against login input that contains troublesome characters, by setting up the query as follows: lcSQL = "SELECT userid FROM users WHERE login == '&mylogin'" ; + " AND password == '&mypassword' Into cursor crsUser" In that scenario, [admin' &&] throws Error 36. [admin'&&] will also fail. So will a variety of other things. However, I had forgotten it did that; it's been something like ten years since I wrote that code, and I did not actually look at the code before responding here. I apologize for that mistake. Although I was wrong on this particular point I think I should be forgiven for assuming that something that doesn't work in code also won't work in a textbox. Nor does this demonstration change the fact that validating user input obviates the need for use of ? parameters, or the fact that ? parameters simply cannot be used in a distributed application. Ken Dibble www.stic-cil.org _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
