Re: [NF] What would you miss from VFP, when migrating
25 years ago as a guess. I probably didn't use the ? operator. On Mon, Jul 1, 2019 at 2:39 PM MB Software Solutions, LLC < mbsoftwaresoluti...@mbsoftwaresolutions.com> wrote: > Maybe this was back in VFP6 days, when _Stephen last worked in VFP > regularly. LOL > > > > > On 7/1/2019 3:19 PM, Frank Cazabon wrote: > > OK, my code is just simulating what would have been entered in the > > textbox. > > > > So I changed it to this: > > > > m.CompanyID = "' or 1 = 1; drop table deleteMe ; --" > > m.lcWhereClause = "WHERE test = ?m.CompanyID" > > > > TEXT TO m.lcSQL NOSHOW TEXTMERGE > > SELECT * > > FROM deleteme > > <> > > ENDTEXT > > m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") > > > > It ran with no unexpected result. The deleteme table is still in the > > database. What are you expecting to happen? > > > > Maybe you can take my code and adjust it to show what the issue is? > > > > Frank. > > > > Frank Cazabon > > > > On 01/07/2019 02:40 PM, Stephen Russell wrote: > >> Actually, in the textbox of your form, you would put it there. > >> ' or 1 = 1; Drop table deleteMe ; -- > >> > >> The closing quote mark, the Or condition with the semicolon. Next > >> statement is simple to delete a table in the database with another > >> semicolon. Then put in 2 minus signs to comment out the rest of the > >> code > >> that you thought was going to operate. > >> > >> > >> > >> On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon > >> wrote: > >> > >>> Stephen, > >>> > >>> just in case you missed my question: > >>> > >>> Do you mean change this line: > >>> > >>> m.CompanyID = "1 = 1; drop table deleteMe ; --" > >>> > >>> To this: > >>> > >>> m.CompanyID = "or 1 = 1; drop table deleteMe ; --" > >>> > >>> Frank. > >>> > >>> Frank Cazabon > >>> > >>> On 28/06/2019 04:23 PM, Stephen Russell wrote: > I believe that you needed an OR > > "1 = 1; drop table deleteMe ; --" > > " or 1 = 1; drop table deleteMe ; --" > > On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon > > wrote: > > > I created a database SQL Server called junk and added a table called > > deleteme with one column called test nchar(10). > > > > I ran the code below and the deleteme table is still there. Did I do > > what you wanted or have I misinterpreted your request? > > > > TEXT TO m.lcConnectionString NOSHOW TEXTMERGE > > DRIVER=SQL Server Native Client > > 11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=< > here>>;Application Name=JunkTest > > ENDTEXT > > > > LOCAL m.lnHandle > > > > lnDispLogin = SQLGETPROP(0,"DispLogin") > > SQLSETPROP(0,"DispLogin",3) &&& never > > m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.) > > SQLSETPROP(0,"DispLogin",lnDispLogin) > > IF m.lnHandle > 0 > >m.CompanyID = "1 = 1; drop table deleteMe ; --" > >m.lcWhereClause = "WHERE test = ?m.CompanyID" > > > >TEXT TO m.lcSQL NOSHOW TEXTMERGE > >SELECT * > >FROM deleteme > ><> > >ENDTEXT > >m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") > >SQLDISCONNECT(m.lnHandle) > >MESSAGEBOX(m.lcSQL + " has run") > > ELSE > >MESSAGEBOX("Unable to connect") > > ENDIF > > > > > > FUNCTION RunSQL > > LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor > > > > LOCAL m.llSuccess > > m.llSuccess = .T. > > > > IF TYPE("m.tcMessage") = "L" > >m.tcMessage = "" > > ENDIF > > > > IF TYPE("m.tuCursor") = "L" > >m.tuCursor = "" > > ENDIF > > > > m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0 > > IF NOT m.llSuccess > >AERROR(laError) > >SET STEP ON > >STRTOFILE("Error: " + laError[2] + " Unable to execute:" + > > m.tcSQL > > + CRLF, "Convert DivChqs to Stars.log", 1) > > ELSE > >IF NOT EMPTY(m.tcMessage) > >STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to > > Stars.log", > >>> 1) > >ENDIF > > ENDIF > > RETURN m.llSuccess > > > > > > Frank. > > > > Frank Cazabon > > > > On 28/06/2019 02:11 PM, Stephen Russell wrote: > >> This looks like a great test for Text EndText! > >> > >> create a table deleteMe > >> > >> In the form put text like this: [any value for a customer > >> here] or 1 > > = 1 > >> ; drop table deleteMe ; -- > >> > >> m.CompanyID = ALLTRIM(thisform.CoCode.value) > >> m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" > >> > >> What do you see in the entire statement you put together? > >> > >> If you run it against a SQL box does your table disappear? > >> > >> To get around 1 = 1 you could have a TON of different > >> combinations to > > get a >
Re: [NF] What would you miss from VFP, when migrating
Maybe this was back in VFP6 days, when _Stephen last worked in VFP regularly. LOL On 7/1/2019 3:19 PM, Frank Cazabon wrote: OK, my code is just simulating what would have been entered in the textbox. So I changed it to this: m.CompanyID = "' or 1 = 1; drop table deleteMe ; --" m.lcWhereClause = "WHERE test = ?m.CompanyID" TEXT TO m.lcSQL NOSHOW TEXTMERGE SELECT * FROM deleteme <> ENDTEXT m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") It ran with no unexpected result. The deleteme table is still in the database. What are you expecting to happen? Maybe you can take my code and adjust it to show what the issue is? Frank. Frank Cazabon On 01/07/2019 02:40 PM, Stephen Russell wrote: Actually, in the textbox of your form, you would put it there. ' or 1 = 1; Drop table deleteMe ; -- The closing quote mark, the Or condition with the semicolon. Next statement is simple to delete a table in the database with another semicolon. Then put in 2 minus signs to comment out the rest of the code that you thought was going to operate. On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon wrote: Stephen, just in case you missed my question: Do you mean change this line: m.CompanyID = "1 = 1; drop table deleteMe ; --" To this: m.CompanyID = "or 1 = 1; drop table deleteMe ; --" Frank. Frank Cazabon On 28/06/2019 04:23 PM, Stephen Russell wrote: I believe that you needed an OR "1 = 1; drop table deleteMe ; --" " or 1 = 1; drop table deleteMe ; --" On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon wrote: I created a database SQL Server called junk and added a table called deleteme with one column called test nchar(10). I ran the code below and the deleteme table is still there. Did I do what you wanted or have I misinterpreted your request? TEXT TO m.lcConnectionString NOSHOW TEXTMERGE DRIVER=SQL Server Native Client 11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=<>;Application Name=JunkTest ENDTEXT LOCAL m.lnHandle lnDispLogin = SQLGETPROP(0,"DispLogin") SQLSETPROP(0,"DispLogin",3) &&& never m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.) SQLSETPROP(0,"DispLogin",lnDispLogin) IF m.lnHandle > 0 m.CompanyID = "1 = 1; drop table deleteMe ; --" m.lcWhereClause = "WHERE test = ?m.CompanyID" TEXT TO m.lcSQL NOSHOW TEXTMERGE SELECT * FROM deleteme <> ENDTEXT m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") SQLDISCONNECT(m.lnHandle) MESSAGEBOX(m.lcSQL + " has run") ELSE MESSAGEBOX("Unable to connect") ENDIF FUNCTION RunSQL LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor LOCAL m.llSuccess m.llSuccess = .T. IF TYPE("m.tcMessage") = "L" m.tcMessage = "" ENDIF IF TYPE("m.tuCursor") = "L" m.tuCursor = "" ENDIF m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0 IF NOT m.llSuccess AERROR(laError) SET STEP ON STRTOFILE("Error: " + laError[2] + " Unable to execute:" + m.tcSQL + CRLF, "Convert DivChqs to Stars.log", 1) ELSE IF NOT EMPTY(m.tcMessage) STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to Stars.log", 1) ENDIF ENDIF RETURN m.llSuccess Frank. Frank Cazabon On 28/06/2019 02:11 PM, Stephen Russell wrote: This looks like a great test for Text EndText! create a table deleteMe In the form put text like this: [any value for a customer here] or 1 = 1 ; drop table deleteMe ; -- m.CompanyID = ALLTRIM(thisform.CoCode.value) m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" What do you see in the entire statement you put together? If you run it against a SQL box does your table disappear? To get around 1 = 1 you could have a TON of different combinations to get a true result. 'abc <> 'cba' does the trick to create a true condition and off it goes. On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon < frank.caza...@gmail.com> wrote: To make your code safer, ensure you use parameters: m.CompanyID = ALLTRIM(thisform.CoCode.value) m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" Frank. Frank Cazabon On 28/06/2019 11:14 AM, Paul H. Tarver wrote: I've never doubted the benefits of stored procedures and if I were an in-house programmer for a company with full admin rights and/or console access to the SQL Servers, I would be tempted to always use stored procedures myself. However, that is NOT the world I work in. My job is to build interfaces to move data between different systems. I am usually provided with READ-ONLY SQL credentials so I can then issue SELECT queries to extract data and then use the results of those queries to create data feeds into other systems. Our systems pull data in one direction only and when I describe dynamic SQL statements I'm referring to something little like this (although most are far more complicated queries with lots of moving parts): lcWhereClause = "WHERE emp.CpnyID =
Re: [NF] What would you miss from VFP, when migrating
OK, my code is just simulating what would have been entered in the textbox. So I changed it to this: m.CompanyID = "' or 1 = 1; drop table deleteMe ; --" m.lcWhereClause = "WHERE test = ?m.CompanyID" TEXT TO m.lcSQL NOSHOW TEXTMERGE SELECT * FROM deleteme <> ENDTEXT m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") It ran with no unexpected result. The deleteme table is still in the database. What are you expecting to happen? Maybe you can take my code and adjust it to show what the issue is? Frank. Frank Cazabon On 01/07/2019 02:40 PM, Stephen Russell wrote: Actually, in the textbox of your form, you would put it there. ' or 1 = 1; Drop table deleteMe ; -- The closing quote mark, the Or condition with the semicolon. Next statement is simple to delete a table in the database with another semicolon. Then put in 2 minus signs to comment out the rest of the code that you thought was going to operate. On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon wrote: Stephen, just in case you missed my question: Do you mean change this line: m.CompanyID = "1 = 1; drop table deleteMe ; --" To this: m.CompanyID = "or 1 = 1; drop table deleteMe ; --" Frank. Frank Cazabon On 28/06/2019 04:23 PM, Stephen Russell wrote: I believe that you needed an OR "1 = 1; drop table deleteMe ; --" " or 1 = 1; drop table deleteMe ; --" On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon wrote: I created a database SQL Server called junk and added a table called deleteme with one column called test nchar(10). I ran the code below and the deleteme table is still there. Did I do what you wanted or have I misinterpreted your request? TEXT TO m.lcConnectionString NOSHOW TEXTMERGE DRIVER=SQL Server Native Client 11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=<>;Application Name=JunkTest ENDTEXT LOCAL m.lnHandle lnDispLogin = SQLGETPROP(0,"DispLogin") SQLSETPROP(0,"DispLogin",3) &&& never m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.) SQLSETPROP(0,"DispLogin",lnDispLogin) IF m.lnHandle > 0 m.CompanyID = "1 = 1; drop table deleteMe ; --" m.lcWhereClause = "WHERE test = ?m.CompanyID" TEXT TO m.lcSQL NOSHOW TEXTMERGE SELECT * FROM deleteme <> ENDTEXT m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") SQLDISCONNECT(m.lnHandle) MESSAGEBOX(m.lcSQL + " has run") ELSE MESSAGEBOX("Unable to connect") ENDIF FUNCTION RunSQL LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor LOCAL m.llSuccess m.llSuccess = .T. IF TYPE("m.tcMessage") = "L" m.tcMessage = "" ENDIF IF TYPE("m.tuCursor") = "L" m.tuCursor = "" ENDIF m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0 IF NOT m.llSuccess AERROR(laError) SET STEP ON STRTOFILE("Error: " + laError[2] + " Unable to execute:" + m.tcSQL + CRLF, "Convert DivChqs to Stars.log", 1) ELSE IF NOT EMPTY(m.tcMessage) STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to Stars.log", 1) ENDIF ENDIF RETURN m.llSuccess Frank. Frank Cazabon On 28/06/2019 02:11 PM, Stephen Russell wrote: This looks like a great test for Text EndText! create a table deleteMe In the form put text like this: [any value for a customer here] or 1 = 1 ; drop table deleteMe ; -- m.CompanyID = ALLTRIM(thisform.CoCode.value) m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" What do you see in the entire statement you put together? If you run it against a SQL box does your table disappear? To get around 1 = 1 you could have a TON of different combinations to get a true result. 'abc <> 'cba' does the trick to create a true condition and off it goes. On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon < frank.caza...@gmail.com> wrote: To make your code safer, ensure you use parameters: m.CompanyID = ALLTRIM(thisform.CoCode.value) m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" Frank. Frank Cazabon On 28/06/2019 11:14 AM, Paul H. Tarver wrote: I've never doubted the benefits of stored procedures and if I were an in-house programmer for a company with full admin rights and/or console access to the SQL Servers, I would be tempted to always use stored procedures myself. However, that is NOT the world I work in. My job is to build interfaces to move data between different systems. I am usually provided with READ-ONLY SQL credentials so I can then issue SELECT queries to extract data and then use the results of those queries to create data feeds into other systems. Our systems pull data in one direction only and when I describe dynamic SQL statements I'm referring to something little like this (although most are far more complicated queries with lots of moving parts): lcWhereClause = "WHERE emp.CpnyID = '" + ALLTRIM(thisform.CoCode.value) TEXT TO lcSQLCmd TEXTMERGE NOSHOW
Re: [NF] What would you miss from VFP, when migrating
Actually, in the textbox of your form, you would put it there. ' or 1 = 1; Drop table deleteMe ; -- The closing quote mark, the Or condition with the semicolon. Next statement is simple to delete a table in the database with another semicolon. Then put in 2 minus signs to comment out the rest of the code that you thought was going to operate. On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon wrote: > Stephen, > > just in case you missed my question: > > Do you mean change this line: > > m.CompanyID = "1 = 1; drop table deleteMe ; --" > > To this: > > m.CompanyID = "or 1 = 1; drop table deleteMe ; --" > > Frank. > > Frank Cazabon > > On 28/06/2019 04:23 PM, Stephen Russell wrote: > > I believe that you needed an OR > > > > "1 = 1; drop table deleteMe ; --" > > > > " or 1 = 1; drop table deleteMe ; --" > > > > On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon > > wrote: > > > >> I created a database SQL Server called junk and added a table called > >> deleteme with one column called test nchar(10). > >> > >> I ran the code below and the deleteme table is still there. Did I do > >> what you wanted or have I misinterpreted your request? > >> > >> TEXT TO m.lcConnectionString NOSHOW TEXTMERGE > >> DRIVER=SQL Server Native Client > >> 11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=< >> here>>;Application Name=JunkTest > >> ENDTEXT > >> > >> LOCAL m.lnHandle > >> > >> lnDispLogin = SQLGETPROP(0,"DispLogin") > >> SQLSETPROP(0,"DispLogin",3) &&& never > >> m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.) > >> SQLSETPROP(0,"DispLogin",lnDispLogin) > >> IF m.lnHandle > 0 > >> m.CompanyID = "1 = 1; drop table deleteMe ; --" > >> m.lcWhereClause = "WHERE test = ?m.CompanyID" > >> > >> TEXT TO m.lcSQL NOSHOW TEXTMERGE > >> SELECT * > >> FROM deleteme > >> <> > >> ENDTEXT > >> m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") > >> SQLDISCONNECT(m.lnHandle) > >> MESSAGEBOX(m.lcSQL + " has run") > >> ELSE > >> MESSAGEBOX("Unable to connect") > >> ENDIF > >> > >> > >> FUNCTION RunSQL > >> LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor > >> > >> LOCAL m.llSuccess > >> m.llSuccess = .T. > >> > >> IF TYPE("m.tcMessage") = "L" > >> m.tcMessage = "" > >> ENDIF > >> > >> IF TYPE("m.tuCursor") = "L" > >> m.tuCursor = "" > >> ENDIF > >> > >> m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0 > >> IF NOT m.llSuccess > >> AERROR(laError) > >> SET STEP ON > >> STRTOFILE("Error: " + laError[2] + " Unable to execute:" + m.tcSQL > >> + CRLF, "Convert DivChqs to Stars.log", 1) > >> ELSE > >> IF NOT EMPTY(m.tcMessage) > >> STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to Stars.log", > 1) > >> ENDIF > >> ENDIF > >> RETURN m.llSuccess > >> > >> > >> Frank. > >> > >> Frank Cazabon > >> > >> On 28/06/2019 02:11 PM, Stephen Russell wrote: > >>> This looks like a great test for Text EndText! > >>> > >>> create a table deleteMe > >>> > >>> In the form put text like this: [any value for a customer here] or 1 > >> = 1 > >>> ; drop table deleteMe ; -- > >>> > >>> m.CompanyID = ALLTRIM(thisform.CoCode.value) > >>> m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" > >>> > >>> What do you see in the entire statement you put together? > >>> > >>> If you run it against a SQL box does your table disappear? > >>> > >>> To get around 1 = 1 you could have a TON of different combinations to > >> get a > >>> true result. 'abc <> 'cba' does the trick to create a true condition > >> and > >>> off it goes. > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon < > frank.caza...@gmail.com> > >>> wrote: > >>> > To make your code safer, ensure you use parameters: > > m.CompanyID = ALLTRIM(thisform.CoCode.value) > m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" > > Frank. > > Frank Cazabon > > On 28/06/2019 11:14 AM, Paul H. Tarver wrote: > > I've never doubted the benefits of stored procedures and if I were an > > in-house programmer for a company with full admin rights and/or > console > > access to the SQL Servers, I would be tempted to always use stored > > procedures myself. However, that is NOT the world I work in. My job > is > >> to > > build interfaces to move data between different systems. I am usually > > provided with READ-ONLY SQL credentials so I can then issue SELECT > queries > > to extract data and then use the results of those queries to create > >> data > > feeds into other systems. > > > > Our systems pull data in one direction only and when I describe > dynamic > SQL > > statements I'm referring to something little like this (although most > >> are > > far more complicated queries with lots of moving parts): > > > > lcWhereClause = "WHERE emp.CpnyID = '" + > > ALLTRIM(thisform.CoCode.value) > > >
Re: [NF] What would you miss from VFP, when migrating
Stephen, just in case you missed my question: Do you mean change this line: m.CompanyID = "1 = 1; drop table deleteMe ; --" To this: m.CompanyID = "or 1 = 1; drop table deleteMe ; --" Frank. Frank Cazabon On 28/06/2019 04:23 PM, Stephen Russell wrote: I believe that you needed an OR "1 = 1; drop table deleteMe ; --" " or 1 = 1; drop table deleteMe ; --" On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon wrote: I created a database SQL Server called junk and added a table called deleteme with one column called test nchar(10). I ran the code below and the deleteme table is still there. Did I do what you wanted or have I misinterpreted your request? TEXT TO m.lcConnectionString NOSHOW TEXTMERGE DRIVER=SQL Server Native Client 11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=<>;Application Name=JunkTest ENDTEXT LOCAL m.lnHandle lnDispLogin = SQLGETPROP(0,"DispLogin") SQLSETPROP(0,"DispLogin",3) &&& never m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.) SQLSETPROP(0,"DispLogin",lnDispLogin) IF m.lnHandle > 0 m.CompanyID = "1 = 1; drop table deleteMe ; --" m.lcWhereClause = "WHERE test = ?m.CompanyID" TEXT TO m.lcSQL NOSHOW TEXTMERGE SELECT * FROM deleteme <> ENDTEXT m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk") SQLDISCONNECT(m.lnHandle) MESSAGEBOX(m.lcSQL + " has run") ELSE MESSAGEBOX("Unable to connect") ENDIF FUNCTION RunSQL LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor LOCAL m.llSuccess m.llSuccess = .T. IF TYPE("m.tcMessage") = "L" m.tcMessage = "" ENDIF IF TYPE("m.tuCursor") = "L" m.tuCursor = "" ENDIF m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0 IF NOT m.llSuccess AERROR(laError) SET STEP ON STRTOFILE("Error: " + laError[2] + " Unable to execute:" + m.tcSQL + CRLF, "Convert DivChqs to Stars.log", 1) ELSE IF NOT EMPTY(m.tcMessage) STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to Stars.log", 1) ENDIF ENDIF RETURN m.llSuccess Frank. Frank Cazabon On 28/06/2019 02:11 PM, Stephen Russell wrote: This looks like a great test for Text EndText! create a table deleteMe In the form put text like this: [any value for a customer here] or 1 = 1 ; drop table deleteMe ; -- m.CompanyID = ALLTRIM(thisform.CoCode.value) m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" What do you see in the entire statement you put together? If you run it against a SQL box does your table disappear? To get around 1 = 1 you could have a TON of different combinations to get a true result. 'abc <> 'cba' does the trick to create a true condition and off it goes. On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon wrote: To make your code safer, ensure you use parameters: m.CompanyID = ALLTRIM(thisform.CoCode.value) m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID" Frank. Frank Cazabon On 28/06/2019 11:14 AM, Paul H. Tarver wrote: I've never doubted the benefits of stored procedures and if I were an in-house programmer for a company with full admin rights and/or console access to the SQL Servers, I would be tempted to always use stored procedures myself. However, that is NOT the world I work in. My job is to build interfaces to move data between different systems. I am usually provided with READ-ONLY SQL credentials so I can then issue SELECT queries to extract data and then use the results of those queries to create data feeds into other systems. Our systems pull data in one direction only and when I describe dynamic SQL statements I'm referring to something little like this (although most are far more complicated queries with lots of moving parts): lcWhereClause = "WHERE emp.CpnyID = '" + ALLTRIM(thisform.CoCode.value) TEXT TO lcSQLCmd TEXTMERGE NOSHOW SELECT CAST(emp.CpnyID AS CHAR(20)) AS compid, CAST(emp.EmpId AS CHAR(20)) AS emplid, emp.NameFirst as fname, emp.NameMiddle as mname, emp.NameLast as lname, emp.StrtDate as hire_date FROM dbo.Employee emp <> ENDTEXT lnStatus = SQLEXEC(lnSQLHandle, lcSQLCmd, "EmpList") We accept and validate the selection of the CoCode by the user and then we construct the "dynamic query." I suspect your perception of a Dynamic Query is greatly different than mine. The point of my original comment was to praise the ease with which I can construct SQL statements in a TEXT/ENDTEXT construct and I think this example shows that Thanks! Paul H. Tarver -Original Message- From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of Stephen Russell Sent: Friday, June 28, 2019 9:27 AM To: profoxt...@leafe.com Subject: Re: [NF] What would you miss from VFP, when migrating I am backing off of licenses for SQL Enterprise down to Standard for 2/3 of all my SQL Server usage in my new deployments. Use to have a total of 96 cores running
Re: [NF] What would you miss from VFP, when migrating
I love me some ORM! Snippet on making an object to be populated with data and saved. You can pile in the Add() objects and then call the SaveChanges() once if you need to. Such as N sales order detail lines. public static void loadresp(String Plant, String respStr) { using (RingSecurityEntities1 dbb = new RingSecurityEntities1()) { SafetyCultureResponse responseFrom = new SafetyCultureResponse(); Guid gu = Guid.NewGuid(); responseFrom.ID = gu; responseFrom.EventDate = DateTime.Now; responseFrom.ReponsePlant = Plant; responseFrom.ResponsePhrase = respStr; dbb.SafetyCultureResponses.Add(responseFrom); dbb.SaveChanges(); } } On Mon, Jul 1, 2019 at 3:47 AM Alan Bourke wrote: > On Thu, 27 Jun 2019, at 6:25 PM, Kevin Cully wrote: > > > > Another language command is the SCATTER NAME and GATHER NAME. The > > ability to create an object with properties that corresponds to each > > field of a record is incredibly useful > > Pick any one of the many ORMs! > > -- > Alan Bourke > alanpbourke (at) fastmail (dot) fm > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/cajidmy+-5wroxg8n57hpwc+ujrkivcdvbzg-tbrakbsoiw4...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
ProFox List Statistics for June 2019
== ProFox List Statistics June 2019 == Subscriber Count at End of Month: ProFox: 292 ProFoxTech: 182 == Total Posts: 127 (Down 30.98% from May 2019) Total [OT] Posts: 3 (Up 100.0% from May 2019) Total [NF] Posts: 52 (Up 44.44% from May 2019) Daily Message Counts for June 2019 DOW Date Count --- - S 1 - 1 S 2 - 2 M 3 - 2 T 4 - 2 W 5 - 4 T 6 - 22 F 7 - 4 M10 - 7 T11 - 10 S16 - 2 M17 - 3 T18 - 7 W19 - 1 M24 - 1 T25 - 7 W26 - 1 T27 - 28 F28 - 22 S29 - 1 Message Counts By Day of Week for June 2019 DOW Count --- - Sun -4 Mon - 13 Tue - 26 Wed -6 Thu - 50 Fri - 26 Sat -2 Distinct Posters to the List (changes relative to May 2019) Non-OT messages: 27 (Down 18.18%) OT messages: 2 (Up 100.0%) NF messages: 12 (Down 14.29%) Total number: 27 (Down 18.18%) Top 20 Contributors by Number of Non-OT Posts |Posts Contributor | 1. 15Stephen Russell 2. 13Paul H. Tarver 3. 12MB Software Solutions, LLC 4.9Tracy Pearson 5.8Ted Roche 6.8Johan Nel 7.7Gene Wirchenko 8.7Alan Bourke 9.6António Tavares Lopes 10.6Frank Cazabon 11.4Paul Newton 12.3Ajoy Khaund 13.3Man-wai Chang 14.2Eric Selje 15.2Rick Schummer 16.2Fletcher Johnson 17.2Richard Kaye 18.2 19.2John Weller 20.2Bill Anderson Top 2 Contributors by Number of OT Posts |Posts OT% Contributor | 1.220% Johan Nel 2.1 8% MB Software Solutions, LLC Top 12 Contributors by Number of NF Posts |Posts Contributor | 1. 13Stephen Russell 2.9MB Software Solutions, LLC 3.7Johan Nel 4.7Paul H. Tarver 5.6Frank Cazabon 6.3António Tavares Lopes 7.2Alan Bourke 8.1 9.1Ted Roche 10.1Charles Hart Enzer, M.D. 11.1Kevin Cully 12.1John Weller Top 20 Contributors by Total Number of Posts |Posts Contributor | 1. 15Stephen Russell 2. 13Paul H. Tarver 3. 13MB Software Solutions, LLC 4. 10Johan Nel 5.9Tracy Pearson 6.8Ted Roche 7.7Gene Wirchenko 8.7Alan Bourke 9.6António Tavares Lopes 10.6Frank Cazabon 11.4Paul Newton 12.3Ajoy Khaund 13.3Man-wai Chang 14.2Eric Selje 15.2Rick Schummer 16.2Fletcher Johnson 17.2Richard Kaye 18.2 19.2John Weller 20.2Bill Anderson Top 14 Contributors by Number of New Threads Started |Posts Contributor | 1.3Johan Nel 2.2MB Software Solutions, LLC 3.2Rick Schummer 4.2 5.2Stephen Russell 6.2Paul Newton 7.1List Administrator Account 8.1Ajoy Khaund 9.1Gene Wirchenko 10.1Bill Anderson 11.1Paul H. Tarver 12.1Tracy Pearson 13.1Charles Hart Enzer, M.D. 14.1Eric Selje Top 20 Non-OT Threads by Total Number of Posts -- |Posts Subject | -- 1. 40[NF] What would you miss from VFP, when migrating 2. 23Funny bug 3. 12Odd Error Message 4.8VFP 9 SP fix lists 5.7Mobile App 6.5ProFox List Statistics for May 2019 7.4[NF] Scaling in mySQL? 8.3[NF] Fun with Table of Contents in MS Word 2016 (...NOT FUN) 9.3Odd build error when trying to create automation COM component; references drive/folder I don't have in Project Info/Servers tab 10.3Problem with WMI query 11.2Grid and
Re: [NF] What would you miss from VFP, when migrating
On 2019/07/01 10:53, Alan Bourke wrote: On Thu, 27 Jun 2019, at 9:10 PM, Paul H. Tarver wrote: I use TEXT/ENDTEXT to create dynamic SQL Queries by merging static text and dynamic variables, then pass the resulting string to SQLEXECUTE. Very convenient when creating large query strings. var table = "mytable"; var myfield = "field1"; var myvalue=100; var cmd = $"select {myfield} from {mytable} where value={myvalue}"; Of course when you do this properly using SQL parameters then it will look different :) Only difference really in X# is "i" for interpolated and "e" for escaped strings: var cmd = i"select {myfield} from {mytable} where value={myvalue}"; ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/38334063-d4ed-2ba6-98b6-94ebf9924...@xsinet.co.za ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
Install https://joshclose.github.io/CsvHelper/ Then: void Main() { using (var reader = new StreamReader("path\\to\\file.csv")) using (var csv = new CsvReader(reader)) { var records = csv.GetRecords(); } } Which is as follows in X# with VFP syntax selected: function Start() as void using var reader = StreamReader(".file.csv") using var csv = CsvReader(reader) var records = csvGetRecords() end using end using return ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/df89b7e7-1085-8e15-e54a-5e73294b7...@xsinet.co.za ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
Hi Alan, On 2019/07/01 10:46, Alan Bourke wrote: The nature of .NET sort of removes the need for this but you have ExpandoObjects and Reflection should you really want to. The System.Dynamic namespace. This is true and I have removed a lot of my macros used in Visual Objects by use of Reflection. There are however cases that I cannot get passed using macros. https://www.cs-script.net/ This is also true for X# having xsScript if you prefer to stay with an XBase style script engine ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/0369a9a2-b154-89f7-4568-db6c4c8c5...@xsinet.co.za ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 9:10 PM, Paul H. Tarver wrote: > I use TEXT/ENDTEXT to create dynamic SQL Queries by merging static text and > dynamic variables, then pass the resulting string to SQLEXECUTE. Very > convenient when creating large query strings. var table = "mytable"; var myfield = "field1"; var myvalue=100; var cmd = $"select {myfield} from {mytable} where value={myvalue}"; Of course when you do this properly using SQL parameters then it will look different :) -- Alan Bourke alanpbourke (at) fastmail (dot) fm ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/52f6a33b-1c9b-4da9-b806-9d21417fd...@www.fastmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 5:53 PM, Paul H. Tarver wrote: > I would greatly miss the speedy import capabilities of Foxpro and the CREATE > CURSOR to build temporary files to temporarily hold imported data Well, assuming CSV: Install https://joshclose.github.io/CsvHelper/ Then: void Main() { using (var reader = new StreamReader("path\\to\\file.csv")) using (var csv = new CsvReader(reader)) { var records = csv.GetRecords(); } } So you have a collection of records in 'records' with which you can do what you like. -- Alan Bourke alanpbourke (at) fastmail (dot) fm ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/644d565a-57c9-457c-8528-cd69cc097...@www.fastmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 6:25 PM, Kevin Cully wrote: > Another language command is the SCATTER NAME and GATHER NAME. The > ability to create an object with properties that corresponds to each > field of a record is incredibly useful Pick any one of the many ORMs! -- Alan Bourke alanpbourke (at) fastmail (dot) fm ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/21bda7fc-27c5-432e-ba95-5cf7734bd...@www.fastmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 1:52 PM, Johan Nel wrote: > Hi VFPers > > I have asked this question on foxite too with very little feedback, so I > am asking it here too. > 1. Macro-compilation The nature of .NET sort of removes the need for this but you have ExpandoObjects and Reflection should you really want to. The System.Dynamic namespace. > 2.