| Subject | Re: [firebird-support] Question: RDB$SYSTEM_FLAG = 0 No Results |
|---|---|
| Author | Robert Tulloch |
| Post date | 2019-02-28T20:48:29Z |
All the same.
Best regards
On 2/28/2019 2:38 PM, Mark Rotteveel mark@... [firebird-support] wrote:
On 28-2-2019 18:06, Robert Tulloch tultalk@... [firebird-support]
wrote:
> Fixed:
>
> GetUniqueStatisticsStatement.Add(FORMAT('select Cast(%s AS
> varchar(32))AS TABLE_NAME, cast(%s AS varchar(32)) AS INDEX_NAME,
> cast(RDB$STATISTICS as varchar(32)) as RDB$STATISTICS',[tableName,
> indexName]));
> GetUniqueStatisticsStatement.Add('from rdb$indices where
> (RDB$SYSTEM_FLAG is null or RDB$SYSTEM_FLAG = 0 )');
> GetUniqueStatisticsStatement.Add(FORMAT('AND
> RDB$INDICES.RDB$INDEX_NAME = %s',[indexName]));
> GetUniqueStatisticsStatement.Add('ORDER BY RDB$STATISTICS DESC');
>
I don't know Delphi, but this looks like something that is vulnerable to
SQL injection. You might want to learn how to use parameters to avoid
introducing security issues in your application.
Mark
--
Mark Rotteveel