D
Dirk
Hi,
Generally I am used to working in another programming environment and have
some questions on what dangers there are regarding SQL injections in MS
Access.
I have the following questions:
1) Using a DAO.QueryDef, a SQL statement with a parameters clause like
"PARAMETERS nAge Integer, sName Text; SELECT * FROM People WHERE Age = nAge
AND Name LIKE sName ORDER BY Name;" Upon filling the parameters with
QueryDef.Parameters("sName") = "Fred", do I still need to quote the string
and escape any quotes in it or does the type setting to Text in the
parameters instruction do this for me?
2) When building SQL statements directly, is there anything other that I
should be mindfull of besides quoting and escaping with strings and checking
validity of integers? Any other possible exploits that need to be catered for?
Regards,
Dirk Louwers
Generally I am used to working in another programming environment and have
some questions on what dangers there are regarding SQL injections in MS
Access.
I have the following questions:
1) Using a DAO.QueryDef, a SQL statement with a parameters clause like
"PARAMETERS nAge Integer, sName Text; SELECT * FROM People WHERE Age = nAge
AND Name LIKE sName ORDER BY Name;" Upon filling the parameters with
QueryDef.Parameters("sName") = "Fred", do I still need to quote the string
and escape any quotes in it or does the type setting to Text in the
parameters instruction do this for me?
2) When building SQL statements directly, is there anything other that I
should be mindfull of besides quoting and escaping with strings and checking
validity of integers? Any other possible exploits that need to be catered for?
Regards,
Dirk Louwers