Using parameters to prevent disaster
How can using parameters prevent db-disaster?
Example:
(where eMail is a string containing data which the user submitted)
string query = "UPDATE `customer` SET `email` = eMail WHERE `custNo` = 1";
I read that a malicious user could put some escape-characters to trick the database into doing all sorts of bad stuff. Is this possible with the above code? Would using parameters prevent such?
Thanks,
Martin
Subject
Written By
Posted
Using parameters to prevent disaster
November 22, 2004 04:58AM
November 24, 2004 03:12PM
November 30, 2004 04:29PM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.