ADELIA |
SADELIA: |
WADELIA |
(I/B) |
(B) |
(I/B) |
Description
Used to sanitize the text of a "string"-type parameter used to build a SQL query with the aim of preventing SQL injection.
The function replaces unprintable characters with spaces and doubles the end-of-string delimiters ('). In the current implementation, it also doubles the escape character (\) if the DBMS parameter has the 'MYSQ' value.
Syntax
Result= &SQL_SANITIZE(string)
or Result= &SQL_SANITIZE(String;DBMS)
Parameters
|
Definition |
Content |
Controls |
Result |
Alphanumerical variable. |
Character string correctly escaped to prevent SQL injection. |
|
String |
Alphanumerical variable. |
String of characters for which the function is executed. |
Mandatory parameter. |
DBMS |
Constant or alphanumerical variable. |
Name of DBMS for which the escape is performed, the accepted values are the values returned by the reserved word *DBMS. |
Optional parameter. |
NB : if the result field is not long enough, the obtained result is truncated and potentially invalid.
For example
* The real value is My bank
CLIENT_NAME = 'My bank'
QUERY= 'SELECT CCOD_CLI FROM CLIENTS WHERE CNOM_CLI=''' /// &SQL_SANITIZE(CLIENT_NAME) /// ''''
*
* The ' character is duplicated in the query text, which becomes
* SELECT CCOD_CLI FROM CLIENTS WHERE CNOM_CLI='My bank'