On Thu, Apr 16, 2009 at 11:55 AM, MB Software Solutions General Account <[email protected]> wrote: > Mike yearwood wrote: >> Hi Bill >> >> Look into parameterizing. That way you don't need to escape values and >> you prevent sql injection attacks. > > > Excellent suggestion!!! Is injection completely impossible if you use > the parameters approach? -------------------------
There are 2 parts to this piece. I read it as "I have to submit text that contains ' marks" Second Q here is if injection is impossible if you use params? The answer to that is NO. Is it harder to achieve success in injection attacks? Much harder but there are vulnerabilities. That param is read and stored to be used later on in the code, so if your hack works to make the system unstable your second hack could inject rights to give some one or something to be used later. Real hard to determine if they work. -- Stephen Russell Sr. Production Systems Programmer Web and Windows Development Independent Contractor Memphis TN 901.246-0159 _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
