Re: Calls to SQl from Foxpro
Posted by: Dave Call
Date: December 20, 2007 05:58PM

You shouldn't ever build a string and then pass it as a sql statement into sql server. It poses huge security risks (depending on your database) aka. sql injection.

Instead of doing this:
MySQL_str="select * from some_file where boxid="alltrim(str(xxx))
sqlexec(gnHandle,MySQL_str,"curReturn")

do this:
xxx='38107'
SQLEXEC(gnConnHandle, 'SELECT * FROM box where box_id=&xxx')

Options: ReplyQuote


Subject
Views
Written By
Posted
10640
August 21, 2007 10:18AM
6154
August 21, 2007 10:39AM
Re: Calls to SQl from Foxpro
6658
December 20, 2007 05:58PM
6186
January 16, 2008 12:46PM
5811
February 05, 2008 08:17AM
5020
February 21, 2009 03:11PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.