SQL Injection - Best Practices

ntheuer · June 27, 2023, 8:22pm

This was brought to my attention as being bad practice. I could easily move this to a named query, and have no issue or problem doing that; but I think named queries have a time and place. If I am using a query only 1 time for a singular purpose, I generally like to have it in the table local.

Does this open the door (as my criticism suggests) to any sort of SQL injection? Does the table component have any sort of security that would prevent external string manipulation for variables 'query'

I absolutely want to follow best practice, but I also like having some things the way that I have them. Am I in the wrong here?

PGriffith · June 27, 2023, 8:24pm

Since you're not using any kind of string formatting to build your query (you're not) then you're fine, no SQL injection risk. The prep variants of the SQL query functions are 'safe' against SQL injection (for parameters) as long as you're not opening your own hole by accepting user input into the actual query body.

ntheuer · June 27, 2023, 8:39pm

thank you for the feedback!

Transistor · June 27, 2023, 8:41pm

Tip: post code, not pictures of code, so we can copy it into our answers and edit it. Use the </> button to format it as code to preserve indents and apply syntax highlighting.