Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » ElevateDB Technical Support » Support Forums » ElevateDB General » View Thread |
Messages 1 to 3 of 3 total |
Test whether a SQL Statement is "just" SELECT |
Mon, May 25 2020 7:47 AM | Permanent Link |
Adam Brett Orixa Systems | At present in several parts of my applications I use the code:
if (POS('SELECT', ' ' + aSQLStr) > 0) then To test whether a SQL statement is a SELECT statement. The above provides a very soft test to avoid SQL injection (ie random INSERT or UPDATE statements being passed into my code by accident. However, many INSERT statements include SELECT ... so the above test is not actually good enough at any level. How can I easily test that a SQL statement is just a SELECT statement? I can see there is a "StatementType" on TEDBQuery but it does not work as I expect the following code: EDBQuery1.SQL.Text:= 'UPDATE Customers SET (ID, Name) = SELECT (ID, Name) FROM NewCustomers'; EDBQuery1.Prepare; if EDBQuery1.StatementType = stSELECT then Showmessage('its a select'); if EDBQuery1.StatementType = stUPDATE then Showmessage('its a select'); Shows the message "its a select", when the statement is clearly UPDATE. Am I using the "StatementType" property wrongly? Is there a functional way to identify the type of an EDB Query? |
Mon, May 25 2020 9:45 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Adam
Since I'm a "good boy" I've never tried it but I understand its possible to hide a nasty inside a select. I think the only sort of foolproof way is to parse the sql and make sure there's nothing malicious. Roy Lambert |
Wed, Jun 3 2020 4:59 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Adam,
You've got a duplicate message: if EDBQuery1.StatementType = stSELECT then Showmessage('its a select'); if EDBQuery1.StatementType = stUPDATE then Showmessage('its a select'); <<< Should read 'it's an update' Tim Young Elevate Software www.elevatesoft.com |
This web page was last updated on Sunday, May 19, 2024 at 08:46 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |