Re: Win32 Needs

From: "Ralf Mimoun" <nospam@xxxxxxxxx>
Date: Thu, 31 Aug 2006 21:00:07 +0200

Chris Morgan wrote:

I _always_ use QuotedStr() for string parameters. So no problems
with SQL injection.

FYI, QuotedStr does not protect you from SQL injection - you need to
use pre-prepared parameterised queries for that.

Can you provide an example where you get a different SQL statement by using a "special" string value?

Ralf

.

References:
- Win32 Needs
  - From: Nick Hodges (Borland/DTG)
- Re: Win32 Needs
  - From: MartinK
- Re: Win32 Needs
  - From: Jon Robertson
- Re: Win32 Needs
  - From: Ralf Mimoun
- Re: Win32 Needs
  - From: Atle Smelvær
- Re: Win32 Needs
  - From: Ralf Mimoun
- Re: Win32 Needs
  - From: Chris Morgan

Prev by Date: Re: Win32 Needs
Next by Date: Re: Win32 Needs
Previous by thread: Re: Win32 Needs
Next by thread: Re: Win32 Needs
Index(es):
- Date
- Thread

Relevant Pages

Re: SQL Parameters using the IN keyword
... this is a chronic problem with databases. ... The easiest way is to create sql statement dynamically. ... This is more tedious but you don't have problem with sql injection if done ... > on what is selected in the other grid. ...
(microsoft.public.dotnet.languages.csharp)
Re: SQL Injection
... parameters by embedding strings directly I believe the framework (dbExpress, etc.) will actually prevent SQL injection. ... SQL injection occurs when someone types in characters via a front-end that change a SQL statement so that it executes something unintended. ...
(borland.public.delphi.non-technical)
Re: Win32 Needs
... QuotedStr does not protect you from SQL injection - you need to use ... pre-prepared parameterised queries for that. ... Chris ...
(borland.public.delphi.non-technical)