[Encode_SQL] encodes any characters which are reserved in MySQL SQL statements by placing a backslash before them. In order to help prevent SQL injection attacks, this tag should be used around any visitor supplied values which are concatenated into a statement for an inline -SQL action. The tag takes a single argument which is a string to be encoded.
Values passed to other inline actions such as -Search, -Add, or -Update are automatically encoded by Lasso. Values passed to SQLite or other data sources should generally be encoded using the [Encode_SQL92] tag instead of this tag.
This tag should be used around each individual value within a MySQL SQL statement. It cannot be used on an entire SQL statement.
[Encode_SQL: 'String Parameter']
[Inline: -SQL='SELECT * FROM Database.Table WHERE field LIKE \'' +
(Encode_SQL: 'String Parameter') + '\';']
...
[/Inline]
See the Lasso 8 Language Guide for examples of how to use this tag. This tag is documented on page 367.
Tag Link | [Encode_SQL] | Category | Encoding |
---|---|---|---|
Type | Substitution | Data Source | Any |
Support | Preferred | Version | 6.0 |
Output Type | String | Security | Tag |
Implementation | LCAPI | Sets | Lasso 8.5, Lasso 8.0, Lasso 7.0, Lasso 6.0 |
Please note that periodically LassoSoft will go through the notes and may incorporate information from them into the documentation. Any submission here gives LassoSoft a non-exclusive license and will be made available in various formats to the Lasso community.
©LassoSoft Inc 2015 | Web Development by Treefrog Inc | Privacy | Legal terms and Shipping | Contact LassoSoft