| Subject | Re: Visual Basic - ADO - Select From blah Where blah = blah1 SQL Statements |
|---|---|
| Author | Adam |
| Post date | 2007-03-10T02:11:32Z |
Not answering your question here, someone with more VB knowledge may
need to point you in the right direction, which may also be pointing
you to another list because it seems to be more a VB / ODBC issue.
through an SQL Injection attack.
(http://en.wikipedia.org/wiki/Sql_injection)
Most languages and connection components provide some facility to use
paramatised queries to avoid this potential.
eg. Delphi + IBX.
qry.Text := 'SELECT * FROM USERS WHERE USERNAME= :UserName';
qry.ParamByName('UserName').Value := userName;
qry.Open;
The usual warnings about never selecting '*' also apply.
Adam
need to point you in the right direction, which may also be pointing
you to another list because it seems to be more a VB / ODBC issue.
> SQL = "SELECT * FROM USERS WHERE USERNAME='" & userName & "'"But I need to point out that your code is begging to be compromised
> rs.Open SQL, cnBase, adOpenDynamic, adLockOptimistic
through an SQL Injection attack.
(http://en.wikipedia.org/wiki/Sql_injection)
Most languages and connection components provide some facility to use
paramatised queries to avoid this potential.
eg. Delphi + IBX.
qry.Text := 'SELECT * FROM USERS WHERE USERNAME= :UserName';
qry.ParamByName('UserName').Value := userName;
qry.Open;
The usual warnings about never selecting '*' also apply.
Adam