Re: Database error?

Fri, 10 Apr 2015 18:53:59 -0700

I freeze up with this stuff, just like I do with math. But...but...won't an intruder be likely to send their own queries, regardless of how the app is doing it? If they include raw values, the database will still respond, right? So why would it matter how the app is doing it? 

On 4/10/2015 8:36 PM, Peter Haworth wrote:

On Fri, Apr 10, 2015 at 6:14 PM, J. Landman Gay <jac...@hyperactivesw.com>
wrote:


I'm not quite sure what Pete meant by using the variable name option in
the rev database functions though. (I am so not a database person.)



Well you opened the door by asking :-)

As an example, revDataFromQuery's syntax is

revDataFromQuery([*columnDelim*],[*rowDelim*],*databaseID*,*SQLQuery*[,
*varsList*])

"varslist" is the thing I mentioned.  It allows you have a SELECT statement
like this:

SELECT col1,col2 FROM myTable WHERE col3=:1 AND col4=:2

The values for :1 and :2 are supplied in the varslist which can either be a
comma separated list of simple variable names or a single array variable
with, in this case, keys 1 and 2, with the variable names enclosed in
quotes.

So the revDataFromQuery call would be:

put revDataFromQuery(,,gDBID,tSelect,"tValue1",tValue2") into tData

OR

put revDataFromQuery(,,gDBID,tSelect,"tArray") into tData

In addition to preventing SQL injection attacks, this also avoids the need
to escape troublesome characters like quotes in the data.

Pete
lcSQL Software <http://www.lcsql.com>
Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and
SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html>
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode




--
Jacqueline Landman Gay         |     jac...@hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com

_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Reply via email to