Technical <4d_tech@lists.4d.com <mailto:4d_tech@lists.4d.com>>
> Cc: Aaron mailto:aaro...@nams-inc.com>>
> Subject: RE: 4D SQL Implementation
> Message-ID:
>
>
> <mailto:dm5pr15mb16413d7cd4bed3ff59490d93a7...@dm5pr15mb1641.namprd15.prod.outlook.com>
Hi Randy,
> I found that I can call a DROP TABLE from various ways with a SQL editor.
> I seem to be missing a way to keep them from successfully calling this
> command, except to not let them have ODBC access in the first place.
> We have our system set to not allow INSERTS and UPDATES, but DROP
--Original Message-
From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Timothy Penner
via 4D_Tech
Sent: Monday, April 17, 2017 9:01 AM
To: 4D iNug Technical <4d_tech@lists.4d.com>
Cc: Timothy Penner
Subject: RE: 4D SQL Implementation
> Using strings built into quer
> Using strings built into queries is prone to sql injection if the query has
> any input from the users and is considered a deadly sin in most cases.
Here is a good example describing why you should never concatenate data into a
SQL statement; you should always use parameterized queries instead
Aaron,
> alternatively you can use SQL EXECUTE to still be able to use local
> variables, and build your query dynamically
Using strings built into queries is prone to sql injection if the query has any
input from the users and is considered a deadly sin in most cases.
Justin
*
return+$1->{$iter}
If ($iter#Size of array($1->))
$return:=$return+$delim //add delim unless its the last record, if only 1
record, there will be no delim
End if
End for
$0:=$return
> Message: 1
> Date: Fri, 14 Apr 2017 08:29:56 -0600
> From: Bart Davis
> To: 4
Totally agree with all of that. I was hopeful that since Wakanda uses the same
engine that we'd see a lot of improvement in the SQL engine of 4D, but not so
much. Another example: a SELECT on an indexed field using a nested SELECT works
great until you reach a certain number of rows returned. On
Bart,
I have to agree with everything you stated. At one point in time I had a
number of SQL calls in a web app that had some heavy use. The day I rolled out
the SQL code I had to roll it back to 4D Query code because performance was so
bad the site became unusable. At this point in time I a
> On Apr 14, 2017, at 2:35 AM, 4d_tech-requ...@lists.4d.com wrote:
>
>
> Message: 3
> Date: Thu, 13 Apr 2017 16:31:15 -0400
> From: Jeffrey Kain
> To: 4D iNug Technical <4d_tech@lists.4d.com>
> Subject: Re: How to create Object field via SQL
> Message-ID:
> Content-Type: text/plain; charset=us
9 matches
Mail list logo