Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Rick C. Hodgin
  Where is Rick C. Hodgin?
 Indianapolis
 Indiana - United States
 Rick C. Hodgin
 To: Michel Levy
  Where is Michel Levy?
 
 France
 Michel Levy
 Tags
Subject: RE: Conditional View in MySql
Thread ID: 365665 Message ID: 365703 # Views: 35 # Ratings: 0
Version: Visual FoxPro 9 SP2 Category: Databases, Tables and SQL Server
Date: Sunday, December 30, 2012 2:59:44 PM         
   


> do you know that you open the door to SQL injection,
> with such abominable code???

The OP said "select any product from VFP form". I had assumed by use of the word "select" that it came from a prior query revealing only valid items. But regardless, my code example wasn't designed to fill the user's explicit request, such as copy-and-paste my code into their project, but rather was designed to demonstrate the steps required to build a SQL expression containing variable portions.

> a database developper should NEVER NEVER concatenate
> the variable value in the where clause.

If your system passes raw data that hasn't gone through any validity checks, then I agree. Such a system design is dangerous, not the assembly through concatenation.

Michel, all a person is doing prior to SQLEXEC is building a proper syntax SQL expression for the remote engine. In VFP you can use ?whatever, but not in all languages. The form I used works identically and conveys explicitly what's taking place -- i.e., the user is building the variable portions atop/alongside the fixed ones, and it works as a concept in general.

> Please, keep your advice in the area you have some
> knowledge, and it seems that SQL development is out
> of your knowledge.

How do you conclude this?

Programming is a complex process involving many, many factors. The example I gave here demonstrates building a variable SQL expression. There is much more involved than this in making a robust, secure system. I am sure you know this.

Best regards,
Rick C. Hodgin

ENTIRE THREAD

Conditional View in MySql Posted by Ahsan Rana @ 12/29/2012 6:40:17 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/29/2012 7:36:07 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 9:59:20 AM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 11:10:28 AM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 11:30:42 AM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 12:51:16 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 1:01:04 PM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 1:13:28 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 4:40:56 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 5:59:59 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 6:53:52 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 1:06:01 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 2:59:44 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:19:54 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 11:46:35 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/31/2012 12:08:20 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 9:37:10 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:20:12 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 12:06:08 AM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:05:17 PM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:11:09 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 1:49:10 PM
RE: Conditional View in MySql Posted by Anders Altberg @ 12/30/2012 4:09:15 PM