The problem with the examples in lecture (6-2) is that the application allows unfiltered input into the SQL.
The application needs to filter out all characters with special meaning in SQL, like single or double quotes, semi-colons, the comment introducer -- etc.
Never concatenate user input with application SQL to form the SQL sent to the database.
The easy way to do this is to use parameterized statements.
Parameterized statements are where the variable parts of the SQL are replaced with markers (usually ?).
Instead of concatenating the user input for the email address like this:
select email from users where email =
select email from users where email = ?
The SQL is prepared when the SQL Engine parses it, validates it and notes that there is one parameter for the email address. When you execute it, you pass the parameter separately from the SQL. How you do this depends on the language you are using.
char *user_input; /* points to user input string */ SQLPrepare ( select email from users where email = ? ); SQLBindParameter (1, user_input); SQLExecute;
Now it does not matter if a user enters any special SQL characters, because they are never parsed by the SQL engine.
المادة المعروضة اعلاه هي مدخل الى المحاضرة المرفوعة بواسطة استاذ(ة) المادة . وقد تبدو لك غير متكاملة . حيث يضع استاذ المادة في بعض الاحيان فقط الجزء الاول من المحاضرة من اجل الاطلاع على ما ستقوم بتحميله لاحقا . في نظام التعليم الالكتروني نوفر هذه الخدمة لكي نبقيك على اطلاع حول محتوى الملف الذي ستقوم بتحميله .
|