+ Reply to Thread
Page 1 of 5 1 2 3 ... LastLast
Results 1 to 10 of 50

Any suggestions ?

  1. Any suggestions ?

    Anybody able to advise please

    I get the following message
    ORA-00933: SQL command not properly ended

    which relates to the following statement

    strSQL = "select * from Cottages, Pricebands where Location = '"&
    strLocation &"', Price Number = '"& strDates &"', Bedrooms Number = '"&
    strRooms &"', Pets = '"& strPets &"' "

    What's wrong ??

  2. Re: Any suggestions ?


    1. It appears that you are opening your app to a sql injection attack.
    2. A single quote in any of the fields would result in the above error.
    essentially turning your sql to something like this:
    select * from cottages, pricebands where location = 'D'angelo st'
    .......
    (i.e. unescaped single quote).
    Use bind variables .. for performance .. and security!

    Anurag

  3. Re: Any suggestions ?


    1. It appears that you are opening your app to a sql injection attack.
    2. A single quote in any of the fields would result in the above error.
    essentially turning your sql to something like this:
    select * from cottages, pricebands where location = 'D'angelo st'
    .......
    (i.e. unescaped single quote).
    Use bind variables .. for performance .. and security!

    Anurag

  4. Re: Any suggestions ?


    1. It appears that you are opening your app to a sql injection attack.
    2. A single quote in any of the fields would result in the above error.
    essentially turning your sql to something like this:
    select * from cottages, pricebands where location = 'D'angelo st'
    .......
    (i.e. unescaped single quote).
    Use bind variables .. for performance .. and security!

    Anurag

  5. Re: Any suggestions ?


    1. It appears that you are opening your app to a sql injection attack.
    2. A single quote in any of the fields would result in the above error.
    essentially turning your sql to something like this:
    select * from cottages, pricebands where location = 'D'angelo st'
    .......
    (i.e. unescaped single quote).
    Use bind variables .. for performance .. and security!

    Anurag

  6. Re: Any suggestions ?


    1. It appears that you are opening your app to a sql injection attack.
    2. A single quote in any of the fields would result in the above error.
    essentially turning your sql to something like this:
    select * from cottages, pricebands where location = 'D'angelo st'
    .......
    (i.e. unescaped single quote).
    Use bind variables .. for performance .. and security!

    Anurag

  7. Re: Any suggestions ?


    1. It appears that you are opening your app to a sql injection attack.
    2. A single quote in any of the fields would result in the above error.
    essentially turning your sql to something like this:
    select * from cottages, pricebands where location = 'D'angelo st'
    .......
    (i.e. unescaped single quote).
    Use bind variables .. for performance .. and security!

    Anurag

  8. Re: Any suggestions ?


    1. It appears that you are opening your app to a sql injection attack.
    2. A single quote in any of the fields would result in the above error.
    essentially turning your sql to something like this:
    select * from cottages, pricebands where location = 'D'angelo st'
    .......
    (i.e. unescaped single quote).
    Use bind variables .. for performance .. and security!

    Anurag

  9. Re: Any suggestions ?


    ... oh .. and on second look.. the sql seems completely wrong.
    You should instead ask ..whats not wrong in this sql..

  10. Re: Any suggestions ?


    ... oh .. and on second look.. the sql seems completely wrong.
    You should instead ask ..whats not wrong in this sql..

+ Reply to Thread
Page 1 of 5 1 2 3 ... LastLast
« Previous Thread | Next Thread »