- Jeff Hamilton
- PowerBuilder
- Thursday, 14 April 2022 01:59 PM UTC
Hello All,
I am a .Net c# developer who took over a PowerBuilder application. I have been doing some of the tutorials and had a question about the SQL connection part.
In going through the tutorial for PB (https://docs.appeon.com/pb2019/getting_started/ch06s05.html) they use the following for a connection param:
SQLCA.dbparm = ls_database + "UID=" + &
ls_userid + ";PWD=" + ls_password + "'"
This seems open to SQL injection and is encouraging new PB developers to follow this as a standard. Is there a better way to do this in PB?
In .Net you could :
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
SqlCommand sqlCommand = new SqlCommand()
{
CommandText = "SELECT ProductId FROM Products WHERE ProductName = @productName",
CommandType = CommandType.Text,
};
sqlCommand.Parameters.Add("@productName", SqlDbType.NVarChar, 128).Value = name;
SqlDataReader reader = sqlCommand.ExecuteReader();
}
Is there a way to do something similar in PB so SQL strings are not open to SQL injection?
Thanks
Find Questions by Tag
Helpful?
If a reply or comment is helpful for you, please don’t hesitate to click the Helpful button. This action is further confirmation of their invaluable contribution to the Appeon Community.