CForti
asked on
CRecordset parameterized queries
Hi, I have a project in which I use a CRecordSet derived class extensively, and I would like to start using parameterized queries to open these recordsets instead of using pure string concatenation to create the queries, in order to avoid SQL injection and also so that I can handle strings that include escape characters and so on correctly.
So, does CRecordset in any way support parameterized queries, possibly in CRecordset::Open()?
Thanks!
So, does CRecordset in any way support parameterized queries, possibly in CRecordset::Open()?
Thanks!
ASKER
They are not a problem right now, but they may become a problem in the future. Additionally, some of the strings I want to retrieve from the database have the ' character in them, which will cause problems unless I
a) escape it, which I don't like, or
b) use parameterization, where I was told I could use any string, including the ' character that usually delimits a SQL string.
Therefore, I would like to use parameterization if possible.
a) escape it, which I don't like, or
b) use parameterization, where I was told I could use any string, including the ' character that usually delimits a SQL string.
Therefore, I would like to use parameterization if possible.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I will check if this is a viable solution when I get back from vacation.
Cheers,
CForti
Cheers,
CForti
well?
They occur where the user hacks the query string, which is on plain display in the address bar, or otherwise obtained. Are you using query strings?