Problem with revExecuteSQL
Jan Schenkel
janschenkel at yahoo.com
Thu Nov 1 05:07:56 EDT 2007
--- Dave <dave at looktowindward.com> wrote:
> Hi,
>
> I am getting an invalid token error from
> revExecuteSQL, when I look
> at the data being inserted, it contains a ":"
> character following by
> a number (a date field in the form DD:MM:YY. How do
> I insert this data?
>
> Here is the code:
>
> put "INSERT INTO " & theTableName & " (" &
> myTempKeyList & ") " & \
> " VALUES (" & myValueList & ") " into
> mySQLCode
>
> revExecuteSQL theDatabaseID,mySQLCode
> put the result into myResult
>
> if myResult <> empty then
> if myResult is not an integer then
> answer error "Error in UtilDBInsertRecord,
> revExecuteSQL:"
> && myResult
> breakpoint
> end if
> end if
>
>
> Thanks a lot
> All the Best
> Dave
>
Hi Dave et al,
While the above approach will work fine as long as you
control the data that goes into this query string, you
should always be careful about so-called "sql
injection".
Here's a link to a lovely cartoon that shows what can
happen if you blindly execute a query that was cobbled
together from user input:
<http://xkcd.com/327/>
Enjoy,
Jan Schenkel.
Quartam Reports & PDF Library for Revolution
<http://www.quartam.com>
=====
"As we grow older, we grow both wiser and more foolish at the same time." (La Rochefoucauld)
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the use-livecode
mailing list