On Apr 15, 2006, at 11:50 AM, Jan Erik Moström wrote:
Norman Palardy <[EMAIL PROTECTED]> 2006-04-15 18:32:
Using a bind variable doesn't either
It doesn't? Then I must have misunderstood things, so how do I protect
against this?
I should say that with SOME database engines it won't.
Some it will since they will not interpret the bound values as part
of a standard SQL string.
IF you can't use a bound variable you could make sure that the
"normal" escapes are done.
Double up single and double quotes as that's usually one way to
inject SQL.
For instance, a person may try to inject SQL via a value like
"; delete from table ;"
With the original you'd get
"select a,b,c where d = "; delete from table ;" and e = :2"
(or something similar)
So if you have to use the "replaceall" method make sure you double
things up properly for your database
dim myPrecmpiledSQL as string = "select a,b,c where d = :1 and e
= :2"
dim sql as string
sql = myPrcompiledSQL
sql = replaceAll(sql,":1", doubleUpQuotes(parameter1))
sql = replaceAll(sql,"2", doubleUpQuotes(parameter2))
so you get
"select a,b,c where d = ""; delete from table ;"" and e = """""
or whatever
_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>
Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>
