Re: Calls to SQl from Foxpro
Posted by: Dave Call
Date: December 20, 2007 05:58PM

You shouldn't ever build a string and then pass it as a sql statement into sql server. It poses huge security risks (depending on your database) aka. sql injection.

Instead of doing this:
MySQL_str="select * from some_file where boxid="alltrim(str(xxx))
sqlexec(gnHandle,MySQL_str,"curReturn")

do this:
xxx='38107'
SQLEXEC(gnConnHandle, 'SELECT * FROM box where box_id=&xxx')

Options: ReplyQuote


Subject
Views
Written By
Posted
10699
August 21, 2007 10:18AM
6177
August 21, 2007 10:39AM
Re: Calls to SQl from Foxpro
6694
December 20, 2007 05:58PM
6219
January 16, 2008 12:46PM
5836
February 05, 2008 08:17AM
5055
February 21, 2009 03:11PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.