| Subject | Re: [firebird-support] using procedures for inserts |
|---|---|
| Author | Ann Harrison |
| Post date | 2011-07-08T04:25:34Z |
On Thu, Jul 7, 2011 at 2:46 PM, Tom Wright <tom@...> wrote:
of the procedure to the user.
without the input variables so you can't change something like
insert (f1) into students values (?)
into something like
insert (f1) into students values 'abc'''; delete from students;'
the parameter you supply can only be a value for f1 in the students table -
it can't go on and become a statement of its own.
Good luck,
Ann
[Non-text portions of this message have been removed]
> Hi,Grant permission to insert into the table to the procedure and grant execute
> I'm pretty new to firebird but have decided it's time to learn something
> a bit more advanced than very basic mySQL (i.e. learnt before mySQL
> supported triggers and procedures).
>
> It seems sensible to me to use procedures to validate my data before
> inserting it into the tables, I have two main questions.
>
> 1) If a user has permissions on a procedure that inserts data into a
> table, will I need to also provide them with write permissions on the
> underlying table?
>
of the procedure to the user.
>You really don't need to worry about that. The procedure is compiled
> 2) Are there any functions out there similar to the PHP
> mysql_real_escape_string() that I can use to sanitize the strings before
> inserting them into a database (I realise this approach won't stop SQL
> injection attacks breaking the procedure but I believe in layered
> protection)?
>
without the input variables so you can't change something like
insert (f1) into students values (?)
into something like
insert (f1) into students values 'abc'''; delete from students;'
the parameter you supply can only be a value for f1 in the students table -
it can't go on and become a statement of its own.
Good luck,
Ann
[Non-text portions of this message have been removed]