When programming a system that creates sql strings based on passed in integers
i.e. where some_int=$variable_from_querystring
you must always do a check to confirm that that variable contains only numeric
data.
an alternate fix on sql servers that allow the format
where some_int='1234' -- (quoted numbers)
would be to do
where some_int='replace($variable_from_querystring,"'","''")'
This would cause a more than likely harmless error to occur whenever character
occurs within the passed in numeric/integer variable.
i.e. where some_int=$variable_from_querystring
you must always do a check to confirm that that variable contains only numeric
data.
an alternate fix on sql servers that allow the format
where some_int='1234' -- (quoted numbers)
would be to do
where some_int='replace($variable_from_querystring,"'","''")'
This would cause a more than likely harmless error to occur whenever character
occurs within the passed in numeric/integer variable.
[ reply ]