Re: [NF] What would you miss from VFP, when migrating
25 years ago as a guess. I probably didn't use the ? operator.
On Mon, Jul 1, 2019 at 2:39 PM MB Software Solutions, LLC <
mbsoftwaresoluti...@mbsoftwaresolutions.com> wrote:
> Maybe this was back in VFP6 days, when _Stephen last worked in VFP
> regularly. LOL
>
>
>
>
> On 7/1/2019 3:19 PM, Frank Cazabon wrote:
> > OK, my code is just simulating what would have been entered in the
> > textbox.
> >
> > So I changed it to this:
> >
> > m.CompanyID = "' or 1 = 1; drop table deleteMe ; --"
> > m.lcWhereClause = "WHERE test = ?m.CompanyID"
> >
> > TEXT TO m.lcSQL NOSHOW TEXTMERGE
> > SELECT *
> > FROM deleteme
> > <>
> > ENDTEXT
> > m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
> >
> > It ran with no unexpected result. The deleteme table is still in the
> > database. What are you expecting to happen?
> >
> > Maybe you can take my code and adjust it to show what the issue is?
> >
> > Frank.
> >
> > Frank Cazabon
> >
> > On 01/07/2019 02:40 PM, Stephen Russell wrote:
> >> Actually, in the textbox of your form, you would put it there.
> >> ' or 1 = 1; Drop table deleteMe ; --
> >>
> >> The closing quote mark, the Or condition with the semicolon. Next
> >> statement is simple to delete a table in the database with another
> >> semicolon. Then put in 2 minus signs to comment out the rest of the
> >> code
> >> that you thought was going to operate.
> >>
> >>
> >>
> >> On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon
> >> wrote:
> >>
> >>> Stephen,
> >>>
> >>> just in case you missed my question:
> >>>
> >>> Do you mean change this line:
> >>>
> >>> m.CompanyID = "1 = 1; drop table deleteMe ; --"
> >>>
> >>> To this:
> >>>
> >>> m.CompanyID = "or 1 = 1; drop table deleteMe ; --"
> >>>
> >>> Frank.
> >>>
> >>> Frank Cazabon
> >>>
> >>> On 28/06/2019 04:23 PM, Stephen Russell wrote:
> I believe that you needed an OR
>
> "1 = 1; drop table deleteMe ; --"
>
> " or 1 = 1; drop table deleteMe ; --"
>
> On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon
>
> wrote:
>
> > I created a database SQL Server called junk and added a table called
> > deleteme with one column called test nchar(10).
> >
> > I ran the code below and the deleteme table is still there. Did I do
> > what you wanted or have I misinterpreted your request?
> >
> > TEXT TO m.lcConnectionString NOSHOW TEXTMERGE
> > DRIVER=SQL Server Native Client
> > 11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=< > here>>;Application Name=JunkTest
> > ENDTEXT
> >
> > LOCAL m.lnHandle
> >
> > lnDispLogin = SQLGETPROP(0,"DispLogin")
> > SQLSETPROP(0,"DispLogin",3) &&& never
> > m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.)
> > SQLSETPROP(0,"DispLogin",lnDispLogin)
> > IF m.lnHandle > 0
> >m.CompanyID = "1 = 1; drop table deleteMe ; --"
> >m.lcWhereClause = "WHERE test = ?m.CompanyID"
> >
> >TEXT TO m.lcSQL NOSHOW TEXTMERGE
> >SELECT *
> >FROM deleteme
> ><>
> >ENDTEXT
> >m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
> >SQLDISCONNECT(m.lnHandle)
> >MESSAGEBOX(m.lcSQL + " has run")
> > ELSE
> >MESSAGEBOX("Unable to connect")
> > ENDIF
> >
> >
> > FUNCTION RunSQL
> > LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor
> >
> > LOCAL m.llSuccess
> > m.llSuccess = .T.
> >
> > IF TYPE("m.tcMessage") = "L"
> >m.tcMessage = ""
> > ENDIF
> >
> > IF TYPE("m.tuCursor") = "L"
> >m.tuCursor = ""
> > ENDIF
> >
> > m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0
> > IF NOT m.llSuccess
> >AERROR(laError)
> >SET STEP ON
> >STRTOFILE("Error: " + laError[2] + " Unable to execute:" +
> > m.tcSQL
> > + CRLF, "Convert DivChqs to Stars.log", 1)
> > ELSE
> >IF NOT EMPTY(m.tcMessage)
> >STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to
> > Stars.log",
> >>> 1)
> >ENDIF
> > ENDIF
> > RETURN m.llSuccess
> >
> >
> > Frank.
> >
> > Frank Cazabon
> >
> > On 28/06/2019 02:11 PM, Stephen Russell wrote:
> >> This looks like a great test for Text EndText!
> >>
> >> create a table deleteMe
> >>
> >> In the form put text like this: [any value for a customer
> >> here] or 1
> > = 1
> >> ; drop table deleteMe ; --
> >>
> >> m.CompanyID = ALLTRIM(thisform.CoCode.value)
> >> m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
> >>
> >> What do you see in the entire statement you put together?
> >>
> >> If you run it against a SQL box does your table disappear?
> >>
> >> To get around 1 = 1 you could have a TON of different
> >> combinations to
> > get a
>
Re: [NF] What would you miss from VFP, when migrating
Maybe this was back in VFP6 days, when _Stephen last worked in VFP
regularly. LOL
On 7/1/2019 3:19 PM, Frank Cazabon wrote:
OK, my code is just simulating what would have been entered in the
textbox.
So I changed it to this:
m.CompanyID = "' or 1 = 1; drop table deleteMe ; --"
m.lcWhereClause = "WHERE test = ?m.CompanyID"
TEXT TO m.lcSQL NOSHOW TEXTMERGE
SELECT *
FROM deleteme
<>
ENDTEXT
m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
It ran with no unexpected result. The deleteme table is still in the
database. What are you expecting to happen?
Maybe you can take my code and adjust it to show what the issue is?
Frank.
Frank Cazabon
On 01/07/2019 02:40 PM, Stephen Russell wrote:
Actually, in the textbox of your form, you would put it there.
' or 1 = 1; Drop table deleteMe ; --
The closing quote mark, the Or condition with the semicolon. Next
statement is simple to delete a table in the database with another
semicolon. Then put in 2 minus signs to comment out the rest of the
code
that you thought was going to operate.
On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon
wrote:
Stephen,
just in case you missed my question:
Do you mean change this line:
m.CompanyID = "1 = 1; drop table deleteMe ; --"
To this:
m.CompanyID = "or 1 = 1; drop table deleteMe ; --"
Frank.
Frank Cazabon
On 28/06/2019 04:23 PM, Stephen Russell wrote:
I believe that you needed an OR
"1 = 1; drop table deleteMe ; --"
" or 1 = 1; drop table deleteMe ; --"
On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon
wrote:
I created a database SQL Server called junk and added a table called
deleteme with one column called test nchar(10).
I ran the code below and the deleteme table is still there. Did I do
what you wanted or have I misinterpreted your request?
TEXT TO m.lcConnectionString NOSHOW TEXTMERGE
DRIVER=SQL Server Native Client
11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=<>;Application Name=JunkTest
ENDTEXT
LOCAL m.lnHandle
lnDispLogin = SQLGETPROP(0,"DispLogin")
SQLSETPROP(0,"DispLogin",3) &&& never
m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.)
SQLSETPROP(0,"DispLogin",lnDispLogin)
IF m.lnHandle > 0
m.CompanyID = "1 = 1; drop table deleteMe ; --"
m.lcWhereClause = "WHERE test = ?m.CompanyID"
TEXT TO m.lcSQL NOSHOW TEXTMERGE
SELECT *
FROM deleteme
<>
ENDTEXT
m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
SQLDISCONNECT(m.lnHandle)
MESSAGEBOX(m.lcSQL + " has run")
ELSE
MESSAGEBOX("Unable to connect")
ENDIF
FUNCTION RunSQL
LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor
LOCAL m.llSuccess
m.llSuccess = .T.
IF TYPE("m.tcMessage") = "L"
m.tcMessage = ""
ENDIF
IF TYPE("m.tuCursor") = "L"
m.tuCursor = ""
ENDIF
m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0
IF NOT m.llSuccess
AERROR(laError)
SET STEP ON
STRTOFILE("Error: " + laError[2] + " Unable to execute:" +
m.tcSQL
+ CRLF, "Convert DivChqs to Stars.log", 1)
ELSE
IF NOT EMPTY(m.tcMessage)
STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to
Stars.log",
1)
ENDIF
ENDIF
RETURN m.llSuccess
Frank.
Frank Cazabon
On 28/06/2019 02:11 PM, Stephen Russell wrote:
This looks like a great test for Text EndText!
create a table deleteMe
In the form put text like this: [any value for a customer
here] or 1
= 1
; drop table deleteMe ; --
m.CompanyID = ALLTRIM(thisform.CoCode.value)
m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
What do you see in the entire statement you put together?
If you run it against a SQL box does your table disappear?
To get around 1 = 1 you could have a TON of different
combinations to
get a
true result. 'abc <> 'cba' does the trick to create a true
condition
and
off it goes.
On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon <
frank.caza...@gmail.com>
wrote:
To make your code safer, ensure you use parameters:
m.CompanyID = ALLTRIM(thisform.CoCode.value)
m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
Frank.
Frank Cazabon
On 28/06/2019 11:14 AM, Paul H. Tarver wrote:
I've never doubted the benefits of stored procedures and if I
were an
in-house programmer for a company with full admin rights and/or
console
access to the SQL Servers, I would be tempted to always use stored
procedures myself. However, that is NOT the world I work in. My
job
is
to
build interfaces to move data between different systems. I am
usually
provided with READ-ONLY SQL credentials so I can then issue SELECT
queries
to extract data and then use the results of those queries to
create
data
feeds into other systems.
Our systems pull data in one direction only and when I describe
dynamic
SQL
statements I'm referring to something little like this
(although most
are
far more complicated queries with lots of moving parts):
lcWhereClause = "WHERE emp.CpnyID =
Re: [NF] What would you miss from VFP, when migrating
OK, my code is just simulating what would have been entered in the textbox.
So I changed it to this:
m.CompanyID = "' or 1 = 1; drop table deleteMe ; --"
m.lcWhereClause = "WHERE test = ?m.CompanyID"
TEXT TO m.lcSQL NOSHOW TEXTMERGE
SELECT *
FROM deleteme
<>
ENDTEXT
m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
It ran with no unexpected result. The deleteme table is still in the
database. What are you expecting to happen?
Maybe you can take my code and adjust it to show what the issue is?
Frank.
Frank Cazabon
On 01/07/2019 02:40 PM, Stephen Russell wrote:
Actually, in the textbox of your form, you would put it there.
' or 1 = 1; Drop table deleteMe ; --
The closing quote mark, the Or condition with the semicolon. Next
statement is simple to delete a table in the database with another
semicolon. Then put in 2 minus signs to comment out the rest of the code
that you thought was going to operate.
On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon
wrote:
Stephen,
just in case you missed my question:
Do you mean change this line:
m.CompanyID = "1 = 1; drop table deleteMe ; --"
To this:
m.CompanyID = "or 1 = 1; drop table deleteMe ; --"
Frank.
Frank Cazabon
On 28/06/2019 04:23 PM, Stephen Russell wrote:
I believe that you needed an OR
"1 = 1; drop table deleteMe ; --"
" or 1 = 1; drop table deleteMe ; --"
On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon
wrote:
I created a database SQL Server called junk and added a table called
deleteme with one column called test nchar(10).
I ran the code below and the deleteme table is still there. Did I do
what you wanted or have I misinterpreted your request?
TEXT TO m.lcConnectionString NOSHOW TEXTMERGE
DRIVER=SQL Server Native Client
11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=<>;Application Name=JunkTest
ENDTEXT
LOCAL m.lnHandle
lnDispLogin = SQLGETPROP(0,"DispLogin")
SQLSETPROP(0,"DispLogin",3) &&& never
m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.)
SQLSETPROP(0,"DispLogin",lnDispLogin)
IF m.lnHandle > 0
m.CompanyID = "1 = 1; drop table deleteMe ; --"
m.lcWhereClause = "WHERE test = ?m.CompanyID"
TEXT TO m.lcSQL NOSHOW TEXTMERGE
SELECT *
FROM deleteme
<>
ENDTEXT
m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
SQLDISCONNECT(m.lnHandle)
MESSAGEBOX(m.lcSQL + " has run")
ELSE
MESSAGEBOX("Unable to connect")
ENDIF
FUNCTION RunSQL
LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor
LOCAL m.llSuccess
m.llSuccess = .T.
IF TYPE("m.tcMessage") = "L"
m.tcMessage = ""
ENDIF
IF TYPE("m.tuCursor") = "L"
m.tuCursor = ""
ENDIF
m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0
IF NOT m.llSuccess
AERROR(laError)
SET STEP ON
STRTOFILE("Error: " + laError[2] + " Unable to execute:" + m.tcSQL
+ CRLF, "Convert DivChqs to Stars.log", 1)
ELSE
IF NOT EMPTY(m.tcMessage)
STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to Stars.log",
1)
ENDIF
ENDIF
RETURN m.llSuccess
Frank.
Frank Cazabon
On 28/06/2019 02:11 PM, Stephen Russell wrote:
This looks like a great test for Text EndText!
create a table deleteMe
In the form put text like this: [any value for a customer here] or 1
= 1
; drop table deleteMe ; --
m.CompanyID = ALLTRIM(thisform.CoCode.value)
m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
What do you see in the entire statement you put together?
If you run it against a SQL box does your table disappear?
To get around 1 = 1 you could have a TON of different combinations to
get a
true result. 'abc <> 'cba' does the trick to create a true condition
and
off it goes.
On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon <
frank.caza...@gmail.com>
wrote:
To make your code safer, ensure you use parameters:
m.CompanyID = ALLTRIM(thisform.CoCode.value)
m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
Frank.
Frank Cazabon
On 28/06/2019 11:14 AM, Paul H. Tarver wrote:
I've never doubted the benefits of stored procedures and if I were an
in-house programmer for a company with full admin rights and/or
console
access to the SQL Servers, I would be tempted to always use stored
procedures myself. However, that is NOT the world I work in. My job
is
to
build interfaces to move data between different systems. I am usually
provided with READ-ONLY SQL credentials so I can then issue SELECT
queries
to extract data and then use the results of those queries to create
data
feeds into other systems.
Our systems pull data in one direction only and when I describe
dynamic
SQL
statements I'm referring to something little like this (although most
are
far more complicated queries with lots of moving parts):
lcWhereClause = "WHERE emp.CpnyID = '" +
ALLTRIM(thisform.CoCode.value)
TEXT TO lcSQLCmd TEXTMERGE NOSHOW
Re: [NF] What would you miss from VFP, when migrating
Actually, in the textbox of your form, you would put it there.
' or 1 = 1; Drop table deleteMe ; --
The closing quote mark, the Or condition with the semicolon. Next
statement is simple to delete a table in the database with another
semicolon. Then put in 2 minus signs to comment out the rest of the code
that you thought was going to operate.
On Mon, Jul 1, 2019 at 1:05 PM Frank Cazabon
wrote:
> Stephen,
>
> just in case you missed my question:
>
> Do you mean change this line:
>
> m.CompanyID = "1 = 1; drop table deleteMe ; --"
>
> To this:
>
> m.CompanyID = "or 1 = 1; drop table deleteMe ; --"
>
> Frank.
>
> Frank Cazabon
>
> On 28/06/2019 04:23 PM, Stephen Russell wrote:
> > I believe that you needed an OR
> >
> > "1 = 1; drop table deleteMe ; --"
> >
> > " or 1 = 1; drop table deleteMe ; --"
> >
> > On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon
> > wrote:
> >
> >> I created a database SQL Server called junk and added a table called
> >> deleteme with one column called test nchar(10).
> >>
> >> I ran the code below and the deleteme table is still there. Did I do
> >> what you wanted or have I misinterpreted your request?
> >>
> >> TEXT TO m.lcConnectionString NOSHOW TEXTMERGE
> >> DRIVER=SQL Server Native Client
> >> 11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=< >> here>>;Application Name=JunkTest
> >> ENDTEXT
> >>
> >> LOCAL m.lnHandle
> >>
> >> lnDispLogin = SQLGETPROP(0,"DispLogin")
> >> SQLSETPROP(0,"DispLogin",3) &&& never
> >> m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.)
> >> SQLSETPROP(0,"DispLogin",lnDispLogin)
> >> IF m.lnHandle > 0
> >> m.CompanyID = "1 = 1; drop table deleteMe ; --"
> >> m.lcWhereClause = "WHERE test = ?m.CompanyID"
> >>
> >> TEXT TO m.lcSQL NOSHOW TEXTMERGE
> >> SELECT *
> >> FROM deleteme
> >> <>
> >> ENDTEXT
> >> m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
> >> SQLDISCONNECT(m.lnHandle)
> >> MESSAGEBOX(m.lcSQL + " has run")
> >> ELSE
> >> MESSAGEBOX("Unable to connect")
> >> ENDIF
> >>
> >>
> >> FUNCTION RunSQL
> >> LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor
> >>
> >> LOCAL m.llSuccess
> >> m.llSuccess = .T.
> >>
> >> IF TYPE("m.tcMessage") = "L"
> >> m.tcMessage = ""
> >> ENDIF
> >>
> >> IF TYPE("m.tuCursor") = "L"
> >> m.tuCursor = ""
> >> ENDIF
> >>
> >> m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0
> >> IF NOT m.llSuccess
> >> AERROR(laError)
> >> SET STEP ON
> >> STRTOFILE("Error: " + laError[2] + " Unable to execute:" + m.tcSQL
> >> + CRLF, "Convert DivChqs to Stars.log", 1)
> >> ELSE
> >> IF NOT EMPTY(m.tcMessage)
> >> STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to Stars.log",
> 1)
> >> ENDIF
> >> ENDIF
> >> RETURN m.llSuccess
> >>
> >>
> >> Frank.
> >>
> >> Frank Cazabon
> >>
> >> On 28/06/2019 02:11 PM, Stephen Russell wrote:
> >>> This looks like a great test for Text EndText!
> >>>
> >>> create a table deleteMe
> >>>
> >>> In the form put text like this: [any value for a customer here] or 1
> >> = 1
> >>> ; drop table deleteMe ; --
> >>>
> >>> m.CompanyID = ALLTRIM(thisform.CoCode.value)
> >>> m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
> >>>
> >>> What do you see in the entire statement you put together?
> >>>
> >>> If you run it against a SQL box does your table disappear?
> >>>
> >>> To get around 1 = 1 you could have a TON of different combinations to
> >> get a
> >>> true result. 'abc <> 'cba' does the trick to create a true condition
> >> and
> >>> off it goes.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon <
> frank.caza...@gmail.com>
> >>> wrote:
> >>>
> To make your code safer, ensure you use parameters:
>
> m.CompanyID = ALLTRIM(thisform.CoCode.value)
> m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
>
> Frank.
>
> Frank Cazabon
>
> On 28/06/2019 11:14 AM, Paul H. Tarver wrote:
> > I've never doubted the benefits of stored procedures and if I were an
> > in-house programmer for a company with full admin rights and/or
> console
> > access to the SQL Servers, I would be tempted to always use stored
> > procedures myself. However, that is NOT the world I work in. My job
> is
> >> to
> > build interfaces to move data between different systems. I am usually
> > provided with READ-ONLY SQL credentials so I can then issue SELECT
> queries
> > to extract data and then use the results of those queries to create
> >> data
> > feeds into other systems.
> >
> > Our systems pull data in one direction only and when I describe
> dynamic
> SQL
> > statements I'm referring to something little like this (although most
> >> are
> > far more complicated queries with lots of moving parts):
> >
> > lcWhereClause = "WHERE emp.CpnyID = '" +
> > ALLTRIM(thisform.CoCode.value)
> >
>
Re: [NF] What would you miss from VFP, when migrating
Stephen,
just in case you missed my question:
Do you mean change this line:
m.CompanyID = "1 = 1; drop table deleteMe ; --"
To this:
m.CompanyID = "or 1 = 1; drop table deleteMe ; --"
Frank.
Frank Cazabon
On 28/06/2019 04:23 PM, Stephen Russell wrote:
I believe that you needed an OR
"1 = 1; drop table deleteMe ; --"
" or 1 = 1; drop table deleteMe ; --"
On Fri, Jun 28, 2019 at 1:34 PM Frank Cazabon
wrote:
I created a database SQL Server called junk and added a table called
deleteme with one column called test nchar(10).
I ran the code below and the deleteme table is still there. Did I do
what you wanted or have I misinterpreted your request?
TEXT TO m.lcConnectionString NOSHOW TEXTMERGE
DRIVER=SQL Server Native Client
11.0;Trusted_Connection=Yes;DATABASE=junk;SERVER=<>;Application Name=JunkTest
ENDTEXT
LOCAL m.lnHandle
lnDispLogin = SQLGETPROP(0,"DispLogin")
SQLSETPROP(0,"DispLogin",3) &&& never
m.lnHandle = SQLSTRINGCONNECT(m.lcConnectionString,.T.)
SQLSETPROP(0,"DispLogin",lnDispLogin)
IF m.lnHandle > 0
m.CompanyID = "1 = 1; drop table deleteMe ; --"
m.lcWhereClause = "WHERE test = ?m.CompanyID"
TEXT TO m.lcSQL NOSHOW TEXTMERGE
SELECT *
FROM deleteme
<>
ENDTEXT
m.llSuccess = RunSQL(m.lnHandle, m.lcSQL, "", "c_junk")
SQLDISCONNECT(m.lnHandle)
MESSAGEBOX(m.lcSQL + " has run")
ELSE
MESSAGEBOX("Unable to connect")
ENDIF
FUNCTION RunSQL
LPARAMETERS tnHandle, tcSQL, tcMessage, tuCursor
LOCAL m.llSuccess
m.llSuccess = .T.
IF TYPE("m.tcMessage") = "L"
m.tcMessage = ""
ENDIF
IF TYPE("m.tuCursor") = "L"
m.tuCursor = ""
ENDIF
m.llSuccess = SQLEXEC(m.tnHandle, m.tcSQL, m.tuCursor) > 0
IF NOT m.llSuccess
AERROR(laError)
SET STEP ON
STRTOFILE("Error: " + laError[2] + " Unable to execute:" + m.tcSQL
+ CRLF, "Convert DivChqs to Stars.log", 1)
ELSE
IF NOT EMPTY(m.tcMessage)
STRTOFILE(m.tcMessage + CRLF, "Convert DivChqs to Stars.log", 1)
ENDIF
ENDIF
RETURN m.llSuccess
Frank.
Frank Cazabon
On 28/06/2019 02:11 PM, Stephen Russell wrote:
This looks like a great test for Text EndText!
create a table deleteMe
In the form put text like this: [any value for a customer here] or 1
= 1
; drop table deleteMe ; --
m.CompanyID = ALLTRIM(thisform.CoCode.value)
m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
What do you see in the entire statement you put together?
If you run it against a SQL box does your table disappear?
To get around 1 = 1 you could have a TON of different combinations to
get a
true result. 'abc <> 'cba' does the trick to create a true condition
and
off it goes.
On Fri, Jun 28, 2019 at 12:13 PM Frank Cazabon
wrote:
To make your code safer, ensure you use parameters:
m.CompanyID = ALLTRIM(thisform.CoCode.value)
m.lcWhereClause = "WHERE emp.CpnyID = ?m.CompanyID"
Frank.
Frank Cazabon
On 28/06/2019 11:14 AM, Paul H. Tarver wrote:
I've never doubted the benefits of stored procedures and if I were an
in-house programmer for a company with full admin rights and/or console
access to the SQL Servers, I would be tempted to always use stored
procedures myself. However, that is NOT the world I work in. My job is
to
build interfaces to move data between different systems. I am usually
provided with READ-ONLY SQL credentials so I can then issue SELECT
queries
to extract data and then use the results of those queries to create
data
feeds into other systems.
Our systems pull data in one direction only and when I describe dynamic
SQL
statements I'm referring to something little like this (although most
are
far more complicated queries with lots of moving parts):
lcWhereClause = "WHERE emp.CpnyID = '" +
ALLTRIM(thisform.CoCode.value)
TEXT TO lcSQLCmd TEXTMERGE NOSHOW
SELECT
CAST(emp.CpnyID AS CHAR(20)) AS compid,
CAST(emp.EmpId AS CHAR(20)) AS emplid,
emp.NameFirst as fname,
emp.NameMiddle as mname,
emp.NameLast as lname,
emp.StrtDate as hire_date
FROM dbo.Employee emp
<>
ENDTEXT
lnStatus = SQLEXEC(lnSQLHandle, lcSQLCmd, "EmpList")
We accept and validate the selection of the CoCode by the user and then
we
construct the "dynamic query." I suspect your perception of a Dynamic
Query
is greatly different than mine. The point of my original comment was to
praise the ease with which I can construct SQL statements in a
TEXT/ENDTEXT
construct and I think this example shows that
Thanks!
Paul H. Tarver
-Original Message-
From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of
Stephen
Russell
Sent: Friday, June 28, 2019 9:27 AM
To: profoxt...@leafe.com
Subject: Re: [NF] What would you miss from VFP, when migrating
I am backing off of licenses for SQL Enterprise down to Standard for
2/3
of
all my SQL Server usage in my new deployments. Use to have a total of
96
cores running
Re: [NF] What would you miss from VFP, when migrating
I love me some ORM!
Snippet on making an object to be populated with data and saved. You can
pile in the Add() objects and then call the SaveChanges() once if you need
to. Such as N sales order detail lines.
public static void loadresp(String Plant, String respStr)
{
using (RingSecurityEntities1 dbb = new RingSecurityEntities1())
{
SafetyCultureResponse responseFrom = new SafetyCultureResponse();
Guid gu = Guid.NewGuid();
responseFrom.ID = gu;
responseFrom.EventDate = DateTime.Now;
responseFrom.ReponsePlant = Plant;
responseFrom.ResponsePhrase = respStr;
dbb.SafetyCultureResponses.Add(responseFrom);
dbb.SaveChanges();
}
}
On Mon, Jul 1, 2019 at 3:47 AM Alan Bourke wrote:
> On Thu, 27 Jun 2019, at 6:25 PM, Kevin Cully wrote:
>
>
> > Another language command is the SCATTER NAME and GATHER NAME. The
> > ability to create an object with properties that corresponds to each
> > field of a record is incredibly useful
>
> Pick any one of the many ORMs!
>
> --
> Alan Bourke
> alanpbourke (at) fastmail (dot) fm
>
[excessive quoting removed by server]
___
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: https://leafe.com/archives
This message:
https://leafe.com/archives/byMID/cajidmy+-5wroxg8n57hpwc+ujrkivcdvbzg-tbrakbsoiw4...@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
ProFox List Statistics for June 2019
== ProFox List Statistics June 2019 == Subscriber Count at End of Month: ProFox: 292 ProFoxTech: 182 == Total Posts: 127 (Down 30.98% from May 2019) Total [OT] Posts: 3 (Up 100.0% from May 2019) Total [NF] Posts: 52 (Up 44.44% from May 2019) Daily Message Counts for June 2019 DOW Date Count --- - S 1 - 1 S 2 - 2 M 3 - 2 T 4 - 2 W 5 - 4 T 6 - 22 F 7 - 4 M10 - 7 T11 - 10 S16 - 2 M17 - 3 T18 - 7 W19 - 1 M24 - 1 T25 - 7 W26 - 1 T27 - 28 F28 - 22 S29 - 1 Message Counts By Day of Week for June 2019 DOW Count --- - Sun -4 Mon - 13 Tue - 26 Wed -6 Thu - 50 Fri - 26 Sat -2 Distinct Posters to the List (changes relative to May 2019) Non-OT messages: 27 (Down 18.18%) OT messages: 2 (Up 100.0%) NF messages: 12 (Down 14.29%) Total number: 27 (Down 18.18%) Top 20 Contributors by Number of Non-OT Posts |Posts Contributor | 1. 15Stephen Russell 2. 13Paul H. Tarver 3. 12MB Software Solutions, LLC 4.9Tracy Pearson 5.8Ted Roche 6.8Johan Nel 7.7Gene Wirchenko 8.7Alan Bourke 9.6António Tavares Lopes 10.6Frank Cazabon 11.4Paul Newton 12.3Ajoy Khaund 13.3Man-wai Chang 14.2Eric Selje 15.2Rick Schummer 16.2Fletcher Johnson 17.2Richard Kaye 18.2 19.2John Weller 20.2Bill Anderson Top 2 Contributors by Number of OT Posts |Posts OT% Contributor | 1.220% Johan Nel 2.1 8% MB Software Solutions, LLC Top 12 Contributors by Number of NF Posts |Posts Contributor | 1. 13Stephen Russell 2.9MB Software Solutions, LLC 3.7Johan Nel 4.7Paul H. Tarver 5.6Frank Cazabon 6.3António Tavares Lopes 7.2Alan Bourke 8.1 9.1Ted Roche 10.1Charles Hart Enzer, M.D. 11.1Kevin Cully 12.1John Weller Top 20 Contributors by Total Number of Posts |Posts Contributor | 1. 15Stephen Russell 2. 13Paul H. Tarver 3. 13MB Software Solutions, LLC 4. 10Johan Nel 5.9Tracy Pearson 6.8Ted Roche 7.7Gene Wirchenko 8.7Alan Bourke 9.6António Tavares Lopes 10.6Frank Cazabon 11.4Paul Newton 12.3Ajoy Khaund 13.3Man-wai Chang 14.2Eric Selje 15.2Rick Schummer 16.2Fletcher Johnson 17.2Richard Kaye 18.2 19.2John Weller 20.2Bill Anderson Top 14 Contributors by Number of New Threads Started |Posts Contributor | 1.3Johan Nel 2.2MB Software Solutions, LLC 3.2Rick Schummer 4.2 5.2Stephen Russell 6.2Paul Newton 7.1List Administrator Account 8.1Ajoy Khaund 9.1Gene Wirchenko 10.1Bill Anderson 11.1Paul H. Tarver 12.1Tracy Pearson 13.1Charles Hart Enzer, M.D. 14.1Eric Selje Top 20 Non-OT Threads by Total Number of Posts -- |Posts Subject | -- 1. 40[NF] What would you miss from VFP, when migrating 2. 23Funny bug 3. 12Odd Error Message 4.8VFP 9 SP fix lists 5.7Mobile App 6.5ProFox List Statistics for May 2019 7.4[NF] Scaling in mySQL? 8.3[NF] Fun with Table of Contents in MS Word 2016 (...NOT FUN) 9.3Odd build error when trying to create automation COM component; references drive/folder I don't have in Project Info/Servers tab 10.3Problem with WMI query 11.2Grid and
Re: [NF] What would you miss from VFP, when migrating
On 2019/07/01 10:53, Alan Bourke wrote:
On Thu, 27 Jun 2019, at 9:10 PM, Paul H. Tarver wrote:
I use TEXT/ENDTEXT to create dynamic SQL Queries by merging static text and
dynamic variables, then pass the resulting string to SQLEXECUTE. Very
convenient when creating large query strings.
var table = "mytable";
var myfield = "field1";
var myvalue=100;
var cmd = $"select {myfield} from {mytable} where value={myvalue}";
Of course when you do this properly using SQL parameters then it will look
different :)
Only difference really in X# is "i" for interpolated and "e" for escaped
strings:
var cmd = i"select {myfield} from {mytable} where value={myvalue}";
___
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: https://leafe.com/archives
This message:
https://leafe.com/archives/byMID/38334063-d4ed-2ba6-98b6-94ebf9924...@xsinet.co.za
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
Install https://joshclose.github.io/CsvHelper/
Then:
void Main()
{
using (var reader = new StreamReader("path\\to\\file.csv"))
using (var csv = new CsvReader(reader))
{
var records = csv.GetRecords();
}
}
Which is as follows in X# with VFP syntax selected:
function Start() as void
using var reader = StreamReader(".file.csv")
using var csv = CsvReader(reader)
var records = csvGetRecords()
end using
end using
return
___
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: https://leafe.com/archives
This message:
https://leafe.com/archives/byMID/df89b7e7-1085-8e15-e54a-5e73294b7...@xsinet.co.za
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
Hi Alan, On 2019/07/01 10:46, Alan Bourke wrote: The nature of .NET sort of removes the need for this but you have ExpandoObjects and Reflection should you really want to. The System.Dynamic namespace. This is true and I have removed a lot of my macros used in Visual Objects by use of Reflection. There are however cases that I cannot get passed using macros. https://www.cs-script.net/ This is also true for X# having xsScript if you prefer to stay with an XBase style script engine ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/0369a9a2-b154-89f7-4568-db6c4c8c5...@xsinet.co.za ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 9:10 PM, Paul H. Tarver wrote:
> I use TEXT/ENDTEXT to create dynamic SQL Queries by merging static text and
> dynamic variables, then pass the resulting string to SQLEXECUTE. Very
> convenient when creating large query strings.
var table = "mytable";
var myfield = "field1";
var myvalue=100;
var cmd = $"select {myfield} from {mytable} where value={myvalue}";
Of course when you do this properly using SQL parameters then it will look
different :)
--
Alan Bourke
alanpbourke (at) fastmail (dot) fm
___
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: https://leafe.com/archives
This message:
https://leafe.com/archives/byMID/52f6a33b-1c9b-4da9-b806-9d21417fd...@www.fastmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 5:53 PM, Paul H. Tarver wrote:
> I would greatly miss the speedy import capabilities of Foxpro and the CREATE
> CURSOR to build temporary files to temporarily hold imported data
Well, assuming CSV:
Install https://joshclose.github.io/CsvHelper/
Then:
void Main()
{
using (var reader = new StreamReader("path\\to\\file.csv"))
using (var csv = new CsvReader(reader))
{
var records = csv.GetRecords();
}
}
So you have a collection of records in 'records' with which you can do what you
like.
--
Alan Bourke
alanpbourke (at) fastmail (dot) fm
___
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: https://leafe.com/archives
This message:
https://leafe.com/archives/byMID/644d565a-57c9-457c-8528-cd69cc097...@www.fastmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 6:25 PM, Kevin Cully wrote: > Another language command is the SCATTER NAME and GATHER NAME. The > ability to create an object with properties that corresponds to each > field of a record is incredibly useful Pick any one of the many ORMs! -- Alan Bourke alanpbourke (at) fastmail (dot) fm ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: https://leafe.com/archives This message: https://leafe.com/archives/byMID/21bda7fc-27c5-432e-ba95-5cf7734bd...@www.fastmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] What would you miss from VFP, when migrating
On Thu, 27 Jun 2019, at 1:52 PM, Johan Nel wrote: > Hi VFPers > > I have asked this question on foxite too with very little feedback, so I > am asking it here too. > 1. Macro-compilation The nature of .NET sort of removes the need for this but you have ExpandoObjects and Reflection should you really want to. The System.Dynamic namespace. > 2.
