Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Rick C. Hodgin
  Where is Rick C. Hodgin?
 Indianapolis
 Indiana - United States
 Rick C. Hodgin
 To: Michel Levy
  Where is Michel Levy?
 
 France
 Michel Levy
 Tags
Subject: RE: Conditional View in MySql
Thread ID: 365665 Message ID: 365724 # Views: 32 # Ratings: 0
Version: Visual FoxPro 9 SP2 Category: Databases, Tables and SQL Server
Date: Sunday, December 30, 2012 11:46:35 PM         
   


> I disagree: whatever validity checks you can put in your client
> design, you will never avoid sql injection another way than with
> parametrization.


This statement did not make sense to me. So, I began looking at the ODBC API to see about parametrization and I now understand what you mean.

I had always assumed the parameter feature in VFP was a shorthand syntax for doing what I was doing explicitly via long-hand as in my code in this thread. But, I was wrong. There exists the mechanism you explain for that explicit purpose. In 25+ years of programming, I have never known this, and have even rarely used it.


> Every concatenation is a possible entrance for sql injection. The
> example you gave does not demonstrate how to build a variable SQL
> expression, no. It demonstrate how to build an unsecure client system,
> that a DBA will decline, and where the developer could be prosecuted
> in case of successfull attack against the server (at least in some
> countries).


You could consider that your knowledge should be used as from a teaching perspective, rather than one of simply attacking someone else. You could demonstrate to the one with lesser knowledge how to do the thing properly, rather than being insulting to them.

I always like to learn new things in programming. And from you today I have learned something new. I thank you for that.


> I agree: programming is a complex process, and I think that SQL RGDB
> world is in itself a complex process, with some specific rules. Before
> I begin to develop more deeply with SQL Server I did not imagine how
> complex and specific it may be (in other words when I believed that
> Clipper/Fox/VFP whas something similar to SQL)


I see what you mean.


> You say that some languages have not ability to send parameters,
> could you elaborate please?


I was referring to the syntax of the SQL command in the SQLEXEC() function. I mistakenly believed this was a VFP-specific shorthand feature to introduce variables into the literal character string. However, it actually uses the parameter features of ODBC, which I did not know about before.

It was my mistake. I appreciate you correcting and teaching me, Michel. Thank you.

Best regards,
Rick C. Hodgin

ENTIRE THREAD

Conditional View in MySql Posted by Ahsan Rana @ 12/29/2012 6:40:17 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/29/2012 7:36:07 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 9:59:20 AM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 11:10:28 AM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 11:30:42 AM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 12:51:16 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 1:01:04 PM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 1:13:28 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 4:40:56 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 5:59:59 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 6:53:52 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 1:06:01 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 2:59:44 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:19:54 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 11:46:35 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/31/2012 12:08:20 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 9:37:10 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:20:12 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 12:06:08 AM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:05:17 PM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:11:09 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 1:49:10 PM
RE: Conditional View in MySql Posted by Anders Altberg @ 12/30/2012 4:09:15 PM