And THAT is sql injection. It crashes your application. -----Original Message----- From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Saturday, June 25, 2011 6:06 PM To: profoxt...@leafe.com Subject: RE: [NF] Questions on migrating VFP app
>Right. I'm your user and I enter "'] as my name. what you gonna do? Any character text to be searched for in a SELECT wIill be surrounded by double quotes. (Any textbox that is for some data type other than character would not accept your proposed string.) So if I didn't have any validation code at all, I would attempt to execute the following statement: SELECT users.id from users where login == ""']" In VFP, the error is "Command contains unrecognized phrase/keyword" Any other database system that permits you to legally use text delimiters in such a way would be insane. In fact, my validation code would throw an error on that for the same reason. Ken Dibble www.stic-cil.org [excessive quoting removed by server] _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/000501cc3359$0c6e6890$254b39b0$@gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
