Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Michel Levy
  Where is Michel Levy?
 
 France
 Michel Levy
 To: Rick C. Hodgin
  Where is Rick C. Hodgin?
 Indianapolis
 Indiana - United States
 Rick C. Hodgin
 Tags
Subject: RE: Conditional View in MySql
Thread ID: 365665 Message ID: 365781 # Views: 30 # Ratings: 0
Version: Visual FoxPro 9 SP2 Category: Databases, Tables and SQL Server
Date: Monday, December 31, 2012 12:08:20 PM         
   


> > I disagree: whatever validity checks you can put in your client
> > design, you will never avoid sql injection another way than with
> > parametrization.
>
>
> This statement did not make sense to me. So, I began looking at the ODBC API to see about parametrization and I now understand what you mean.
>
> I had always assumed the parameter feature in VFP was a shorthand syntax for doing what I was doing explicitly via long-hand as in my code in this thread. But, I was wrong. There exists the mechanism you explain for that explicit purpose. In 25+ years of programming, I have never known this, and have even rarely used it.
>
>
> > Every concatenation is a possible entrance for sql injection. The
> > example you gave does not demonstrate how to build a variable SQL
> > expression, no. It demonstrate how to build an unsecure client system,
> > that a DBA will decline, and where the developer could be prosecuted
> > in case of successfull attack against the server (at least in some
> > countries).
>
>
> You could consider that your knowledge should be used as from a teaching perspective, rather than one of simply attacking someone else. You could demonstrate to the one with lesser knowledge how to do the thing properly, rather than being insulting to them.
>
> I always like to learn new things in programming. And from you today I have learned something new. I thank you for that.
>
>
> > I agree: programming is a complex process, and I think that SQL RGDB
> > world is in itself a complex process, with some specific rules. Before
> > I begin to develop more deeply with SQL Server I did not imagine how
> > complex and specific it may be (in other words when I believed that
> > Clipper/Fox/VFP whas something similar to SQL)
>
>
> I see what you mean.
>
>
> > You say that some languages have not ability to send parameters,
> > could you elaborate please?
>
>
> I was referring to the syntax of the SQL command in the SQLEXEC() function. I mistakenly believed this was a VFP-specific shorthand feature to introduce variables into the literal character string. However, it actually uses the parameter features of ODBC, which I did not know about before.
>
> It was my mistake. I appreciate you correcting and teaching me, Michel. Thank you.
>
> Best regards,
> Rick C. Hodgin

--
Rick,

parameters are a very great feature in RGBD, not only for secure, but also (mainly) for performances.

When you send a parametrized SELECT statement to a SQL Server, the static part remains stored in cache for a future usage by the execution plan, with the type of parameters for choosing the best index, and the value of the parameters will be used to analyze the execution plans in memory and choose the best one, taking account of the distribution and allocation of data.
BTW it is also used by the engine to know the intentionnal locks (i.e. non exclusive locks) to put, with the scope of these locks, and if necessary the future escalation of the locks. This mechanism will speed up all future UPDATE on the same rows.

Michel L

ENTIRE THREAD

Conditional View in MySql Posted by Ahsan Rana @ 12/29/2012 6:40:17 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/29/2012 7:36:07 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 9:59:20 AM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 11:10:28 AM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 11:30:42 AM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 12:51:16 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 1:01:04 PM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 1:13:28 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 4:40:56 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 5:59:59 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 6:53:52 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 1:06:01 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 2:59:44 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:19:54 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 11:46:35 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/31/2012 12:08:20 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 9:37:10 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:20:12 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 12:06:08 AM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:05:17 PM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:11:09 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 1:49:10 PM
RE: Conditional View in MySql Posted by Anders Altberg @ 12/30/2012 4:09:15 PM