Make sure that you’re not accepting direct string input from users for the table or column names, though, or you’re opening yourself up to SQL injection as an attack vector.
That's takes it down to just a few lines. Also, onCellEdit passes the colName & newValue. When I create the args list it use those values automatically.
I guess what I dont fully understand is why we use the format() for the instead if just including them as args?
I can see why y'all say use runPrepUpdate all the time. Much easier to keep up with.
Paul, I thought that was one of the benefits of using the runPrepUpdate and runPrepQuery scripts was it provides prepared statements which provide a layer of protection to SQL injection attacks. Is this not the case? I've never fully understood exactly how to achieve this, but is it as simple as placing single quotes around the question marks so if someone places a quotation mark it fails (or throws an error)?
Documentation indicates this, so if this isn't true, maybe a modification to this is warranted.
My understanding is that the statement is prepared for any value you pass via the ‘?’ and parameter syntax of runPrepUpdate. The potentially vulnerable part is the {0} and .format pieces. These aren’t handled any special way by runPrepUpdate because the query string is already constructed with potentially malicious SQL by the time runPrepUpdate starts.
Someone else will have to confirm, but I don’t think you can send schema objects (tables, columns, etc.) as prepared values. That’s why QueryString is still a (discouraged) option in named queries. I’m sure @PGriffith will correct me if I’m wrong about this.
SQL will not allow you to send schema objects as parameters.
It is indeed the case assuming a hard coded query string. However, when you allow dynamic construction of the query string, then the risk for injection is still there.
In this case so long as the dynamic values are only supplied by the programmer, then the risk is still mitigated, thus @PGriffith's warning to not allow user input into the query string itself.