A
Arpan
Microsoft advises not to pass parameters to the Command object in the
Execute statement. Why?
Thanks,
Arpan
Execute statement. Why?
Thanks,
Arpan
Arpan said:Microsoft advises not to pass parameters to the Command object in the
Execute statement. Why?
Bob Barrows said:How do you get from the information in 165156 to the "huge security flaw"
statement? I recognize that you may be using "presume" as a synonym for
"guess", but there must be some basis for coming to this presumption ...
Please explain.
Egbert said:If you do not use parameter objects, you have to encode single qoutes
(') and check each parameter on typevalidity.
Second, you have to
write your -own- tools to convert dateformats and to format money etc in
the
correct format. I've seen much Dutch programmers loozing time writing
such tools (SQL server and non-language-compatible configured systems
switch decimal symbols). Serious, this is a waste of time and
possibly a security problem if you program like this
myADO.execute "exec myProc " + request("myParam")
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.