Problem with revExecuteSQL

Jan Schenkel janschenkel at yahoo.com
Thu Nov 1 05:07:56 EDT 2007


--- Dave <dave at looktowindward.com> wrote:
> Hi,
> 
> I am getting an invalid token error from
> revExecuteSQL, when I look  
> at the data being inserted, it contains a ":"
> character following by  
> a number (a date field in the form DD:MM:YY. How do
> I insert this data?
> 
> Here is the code:
> 
>   put "INSERT INTO " & theTableName & " (" &
> myTempKeyList & ") " & \
>          " VALUES (" & myValueList & ") " into
> mySQLCode
> 
>      revExecuteSQL theDatabaseID,mySQLCode
>      put the result into myResult
> 
>      if myResult <> empty then
>        if myResult is not an integer then
>          answer error "Error in UtilDBInsertRecord,
> revExecuteSQL:"  
> && myResult
>          breakpoint
>        end if
>      end if
> 
> 
> Thanks a lot
> All the Best
> Dave
> 

Hi Dave et al,

While the above approach will work fine as long as you
control the data that goes into this query string, you
should always be careful about so-called "sql
injection".
Here's a link to a lovely cartoon that shows what can
happen if you blindly execute a query that was cobbled
together from user input:
<http://xkcd.com/327/>

Enjoy,

Jan Schenkel.

Quartam Reports & PDF Library for Revolution
<http://www.quartam.com>

=====
"As we grow older, we grow both wiser and more foolish at the same time."  (La Rochefoucauld)

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the use-livecode mailing list