I had someone point out to me that some of the sample code I have used might be vulnerable to an insertion attack. So I feel it is time to address this subject.
First when using examples I try to just focus on the subject of the current blog and often strip a lot of things that are irrelevant to the point I am trying to make out. But now to the subject of keeping your code save.
If you write and SQL statement looking something like
lc_sql = “SELECT * from customer WHERE custno = ‘” + lc_custno + “‘”
Someone could enter “‘; TRUNCATE TABLE customer;’” resulting in a SQL statement looking like
SELECT * from customer WHERE custno = ”; TRUNCATE TABLE customer; ”
Which could be quite disasterous. So to avoid this we could use parameterized queries which I cannot as I am using a seperate function to wrap around the SQLEXEC() function to do all kinds of things like …[Read more]