"Format into string" with a variable no. of inputs

drjdpowell · ‎05-30-2013

Slightly off topic but if your dealing with SQL statements you'd be better off using binding of SQL parameters rather than formatting strings. Use parameter names (like $AAA, $BBB) and attempt to bind all the parameters, ignoring any errors due to the parameters not present in that particular SQL statement.

One should favour SQL parameters over SQL string formatting for other reasons as well.

Intaris · ‎05-30-2013

On a side-side note:

The reason for choosing parameters instead of directly inserting the strings into the SQL command is that thereis a danger ot code insertion where a "parameter" is "injected" which actually contains a command (like detete the whole database). The SQL DB interprets this accordingly and whoops, everything's gone. Using parameters separates the command syntax from the strings for the parameters, meaning that such a delete string will NOT create an action ont he side of the SQL DB.

See HERE for more infos.

jcarmody · ‎05-30-2013

@Intaris wrote:

On a side-side note:

The reason for choosing parameters instead of directly inserting the strings into the SQL command is that thereis a danger ot code insertion where a "parameter" is "injected" which actually contains a command (like detete the whole database). [...]

I was hoping your link would take us to this:

Jim
You're entirely bonkers. But I'll tell you a secret. All the best people are. ~ Alice
For he does not know what will happen; So who can tell him when it will occur? Eccl. 8:7

LabVIEW

"Format into string" with a variable no. of inputs

Re: "Format into string" with a variable no. of inputs

Re: "Format into string" with a variable no. of inputs

Re: "Format into string" with a variable no. of inputs