When programming a system that creates sql strings based on passed in integers i.e. where some_int=$variable_from_querystring you must always do a check to confirm that that variable contains only numeric data. an alternate fix on sql servers that allow the format where some_int='1234' -- (quoted numbers) would be to do where some_int='replace($variable_from_querystring,"'","''")' This would cause a more than likely harmless error to occur whenever character occurs within the passed in numeric/integer variable.
This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 13:35:21 PST