Hello All,
I am a .Net c# developer who took over a PowerBuilder application. I have been doing some of the tutorials and had a question about the SQL connection part.
In going through the tutorial for PB (https://docs.appeon.com/pb2019/getting_started/ch06s05.html) they use the following for a connection param:
SQLCA.dbparm = ls_database + "UID=" + &
ls_userid + ";PWD=" + ls_password + "'"
This seems open to SQL injection and is encouraging new PB developers to follow this as a standard. Is there a better way to do this in PB?
In .Net you could :
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
SqlCommand sqlCommand = new SqlCommand()
{
CommandText = "SELECT ProductId FROM Products WHERE ProductName = @productName",
CommandType = CommandType.Text,
};
sqlCommand.Parameters.Add("@productName", SqlDbType.NVarChar, 128).Value = name;
SqlDataReader reader = sqlCommand.ExecuteReader();
}
Is there a way to do something similar in PB so SQL strings are not open to SQL injection?
Thanks
Also .Net allows string intropolation, for example:
string _something = $"Todays Date is: {DateTime.Now.ToString}";
which did proper formatting for you, is there something in PB that does the same?
thanks for the info on the prepare and execute I will look into that more.