parameterized query with wildcard
bobsneidar at iotecdigital.com
Thu Jul 30 17:10:45 CEST 2015
Yes it does. If you use the placeholder method (I am not really sure what to call it at this point) then sqlYoga sanitizes the strings for you. I've inserted records with any number of characters using this method without any problems reading in or out of the database.
I'm not sure if a direct query like "address = '\\bobscomputer\scans'" is sanitized. For the sake of standardization I always use the placeholder method.
> On Jul 28, 2015, at 09:17 , Andrew Kluthe <andrew at ctech.me> wrote:
> Does revDataFromQuery do any sanitizing/proper to prevent me from sneaking
> extra SQL into your search box like an injection style attack, or does it
> just plop whatever you give in there no questions asked? Just curious. I
> have always been spoiled by SQLYoga or rolled my DB interfaces up into API
> servers of some kind.
> On Tue, Jul 28, 2015 at 11:09 AM Dave Kilroy <dave at applicationinsight.com>
>> Mike, assuming you are searching the db with parameter pSearchTerm, try
>> something like this:
>> put "%" & pSearchTerm & "%" into tSearchTerm
>> put "SELECT * FROM foo WHERE bar LIKE :1" into tQuery
>> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
>> "The difference between genius and stupidity is; genius has its limits." -
>> Albert Einstein
>> View this message in context:
>> Sent from the Revolution - User mailing list archive at Nabble.com.
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
More information about the use-livecode